CN110995546B - Message sampling method and device - Google Patents
Message sampling method and device Download PDFInfo
- Publication number
- CN110995546B CN110995546B CN201911333217.3A CN201911333217A CN110995546B CN 110995546 B CN110995546 B CN 110995546B CN 201911333217 A CN201911333217 A CN 201911333217A CN 110995546 B CN110995546 B CN 110995546B
- Authority
- CN
- China
- Prior art keywords
- quintuple information
- message
- storage unit
- rule
- determined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000005070 sampling Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000004891 communication Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000032683 aging Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
- H04L43/103—Active monitoring, e.g. heartbeat, ping or trace-route with adaptive polling, i.e. dynamically adapting the polling rate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/36—Flow control; Congestion control by determining packet size, e.g. maximum transfer unit [MTU]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a message sampling method and a device, wherein the method comprises the following steps: matching the received message with a preset rule list; if the message is determined to be matched with at least one rule in the rule list, determining a register index according to first quintuple information of the message; and determining whether to collect the message according to the at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index. The scheme determines whether to acquire the message according to at least one rule or not based on the first quintuple of the message and the second quintuple information stored in the storage unit corresponding to the determined register index through a programmable logic device in the sampling equipment.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for sampling a packet.
Background
With the continuous expansion of network scale, data centers put higher demands on network service quality and security. At present, a traffic collection and analysis application program is deployed in a sampling device, and after network characteristics (such as delay, jitter, packet loss, and the like) of each flow are acquired, behavior characteristics and network service quality of each flow are analyzed, so that effective help is provided for improving network service quality and preventing network attack behaviors.
In the current message sampling method, a flowbrooker framework is deployed in sampling equipment to conduct full drainage, different flows are collected with different numbers of messages, and the messages are reported to an analysis server to be analyzed.
According to the method, the FlowBroker framework is used for sampling the message, the flow of only 1G can be acquired to the maximum extent, the message sampling performance is low, and meanwhile, the resource and sampling cost of a Central Processing Unit (CPU) are high.
Disclosure of Invention
The embodiment of the invention provides a message sampling method and a message sampling device, which are used for solving the problems of low message sampling performance and high consumption of CPU (Central processing Unit) resources and bandwidth resources in the prior art.
According to an embodiment of the present invention, a method for sampling a packet is provided, which is applied to a programmable logic device of a sampling device, and the method includes:
matching the received message with a preset rule list;
if the message is determined to be matched with at least one rule in the rule list, determining a register index according to first quintuple information of the message;
and determining whether to collect the message according to the at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index.
Specifically, determining a register index according to the first quintuple information of the packet specifically includes:
acquiring first quintuple information of the message;
performing hash operation on the first quintuple information to obtain a hash value;
and taking the hash value as a register index.
Specifically, determining whether to collect the packet according to the at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index includes:
acquiring second quintuple information from a storage unit corresponding to the register index;
determining whether the second quintuple information is all 0;
if the second quintuple information is determined to be all 0, storing the first quintuple information in the storage unit, and collecting the message according to the at least one rule;
if the second quintuple information is not determined to be 0 completely, determining whether the first quintuple information is the same as the second quintuple information or not, and if the first quintuple information is determined to be different from the second quintuple information, determining that a hash collision exists and not collecting the message; and if the first quintuple information is determined to be the same as the second quintuple information, acquiring the message according to the at least one rule.
Optionally, the method further includes:
setting a countdown timer with set time length in each storage unit of the register;
resetting a countdown timer of the storage unit after the message is collected according to the at least one rule; or polling whether the remaining time of the countdown timer set in each storage unit of the register is 0 or not, and returning the information in the storage unit of which the remaining time of the countdown timer is 0 to zero.
According to an embodiment of the present invention, there is also provided a packet sampling apparatus applied to a programmable logic device of a sampling device, the apparatus including:
the matching module is used for matching the received message with a preset rule list;
the first determining module is used for determining a register index according to the first quintuple information of the message if the message is determined to be matched with at least one rule in the rule list;
and the second determining module is used for determining whether to acquire the message according to the at least one rule according to the first quintuple information and second quintuple information stored in the storage unit corresponding to the register index.
Specifically, the first determining module is configured to determine a register index according to the first quintuple information of the packet, and specifically configured to:
acquiring first quintuple information of the message;
performing hash operation on the first quintuple information to obtain a hash value;
and taking the hash value as a register index.
Specifically, the second determining module is configured to determine whether to collect the packet according to the at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index, and specifically configured to:
acquiring second quintuple information from a storage unit corresponding to the register index;
determining whether the second quintuple information is all 0;
if the second quintuple information is determined to be all 0, storing the first quintuple information in the storage unit, and collecting the message according to the at least one rule;
if the second quintuple information is not determined to be 0 completely, determining whether the first quintuple information is the same as the second quintuple information or not, and if the first quintuple information is determined to be different from the second quintuple information, determining that a hash collision exists and not collecting the message; and if the first quintuple information is determined to be the same as the second quintuple information, acquiring the message according to the at least one rule.
Optionally, the method further includes:
and the setting module is used for setting a countdown timer with set time length in each storage unit of the register.
The processing module is used for resetting a countdown timer of the storage unit after the message is collected according to the at least one rule; or polling whether the remaining time of the countdown timer set in each storage unit of the register is 0 or not, and returning the information in the storage unit of which the remaining time of the countdown timer is 0 to zero.
According to the embodiment of the invention, the electronic equipment comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
a processor for implementing the above method steps when executing the program stored in the memory.
According to an embodiment of the present invention, there is also provided a computer-readable storage medium having stored therein a computer program, which when executed by a processor, performs the above-mentioned method steps.
The invention has the following beneficial effects:
the embodiment of the invention provides a message sampling method and a device, wherein a received message is matched with a preset rule list; if the message is determined to be matched with at least one rule in the rule list, determining a register index according to first quintuple information of the message; and determining whether to collect the message according to the at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index. According to the scheme, whether the message is acquired according to at least one rule is determined based on the first quintuple information of the message and the second quintuple information stored in the storage unit corresponding to the determined register index through the programmable logic device in the sampling equipment, and due to the fact that the programmable logic device is used, message sampling performance can be greatly improved, meanwhile, the participation of a CPU is not needed, CPU resources are greatly reduced, and acquisition cost is reduced.
Drawings
Fig. 1 is a flowchart of a message sampling method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a message sampling apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device shown in the present application.
Detailed Description
Aiming at the problems of lower message sampling performance and higher consumption of CPU resources and bandwidth resources in the prior art, the embodiment of the invention provides a message sampling method which is applied to a programmable logic device of sampling equipment, the flow of the method is shown in figure 1, and the execution steps are as follows:
s11: and matching the received message with a preset rule list.
After receiving the message, the message can be matched with a preset rule list, so as to determine whether to collect the message.
The rule list may set a plurality of rules according to actual needs, for example, the rules may be, but are not limited to, collecting N messages before collection, collecting K messages after collecting M messages, collecting Transmission Control Protocol (TCP) messages, collecting User Datagram Protocol (UDP) messages, truncating messages, and the like.
S12: and if the message is determined to be matched with at least one rule in the rule list, determining the register index according to the first quintuple information of the message.
The packet may match one or more rules in the rule list, and then five-tuple information of the packet may be obtained, where the five-tuple information may be defined as first five-tuple information, and then the register index is determined according to the first five-tuple information.
And after the programmable logic device operates, the initial value of the quintuple information stored in each storage unit of the register is 0, and the corresponding storage unit is accessed through the register index to carry out read-write operation.
S13: and determining whether to acquire the message according to at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index.
According to the scheme, whether the message is acquired according to at least one rule is determined based on the first quintuple information of the message and the second quintuple information stored in the storage unit corresponding to the determined register index through the programmable logic device in the sampling equipment, and due to the fact that the programmable logic device is used, message sampling performance can be greatly improved, meanwhile, the participation of a CPU is not needed, CPU resources are greatly reduced, and acquisition cost is reduced.
Specifically, the determining of the register index according to the first quintuple information of the packet in S12 specifically includes:
acquiring first quintuple information of a message;
performing hash operation on the first quintuple information to obtain a hash value;
the hash value is used as a register index.
When determining the register index according to the first quintuple information of the packet, a hash value obtained by performing hash operation on the first quintuple information may be used as the register index, and certainly, the register index may also be determined in other manners, which is described here by only exemplifying one manner.
Specifically, the determining, in S13, whether to collect the packet according to at least one rule according to the first quintuple information and the second quintuple information stored in the storage unit corresponding to the register index includes:
acquiring second quintuple information from a storage unit corresponding to the register index;
determining whether the second quintuple information is all 0;
if the second quintuple information is determined to be all 0, storing the first quintuple information in a storage unit, and collecting messages according to at least one rule;
if the second quintuple information is not determined to be 0 completely, determining whether the first quintuple information is the same as the second quintuple information or not, and if the first quintuple information is determined to be different from the second quintuple information, determining that a hash conflict exists and not collecting a message; and if the first quintuple information is determined to be the same as the second quintuple information, acquiring the message according to at least one rule.
When determining whether to acquire a message according to at least one rule according to second quintuple information stored in a storage unit corresponding to the first quintuple information and the register index, first obtaining the quintuple information from the storage unit corresponding to the register index, wherein the quintuple information can be defined as the second quintuple information, if determining that the second quintuple information is all 0, the storage unit does not store the quintuple information, directly storing the first quintuple information in the storage unit, and acquiring the message according to at least one rule.
If the second quintuple information is not determined to be 0 completely, the quintuple information is stored before, whether the first quintuple information is the same as the second quintuple information needs to be further determined, if the first quintuple information is determined to be different from the second quintuple information, the Hash collision is determined to exist, only the message can be discarded, and the message is not collected; if it is determined that the first quintuple information is the same as the second quintuple information, it is indicated that other messages corresponding to the first quintuple information have been received before, and the messages may be collected according to at least one rule.
In an alternative embodiment, the method further comprises:
setting a countdown timer with set time length in each storage unit of the register;
resetting a countdown timer of the storage unit after collecting the message according to at least one rule; alternatively, whether or not the remaining time of the countdown timer set in each storage unit of the polling register is 0 is checked, and information in the storage unit in which the remaining time of the countdown timer is 0 is zeroed.
After the message is collected according to at least one rule, the countdown timer of the storage unit can be reset because the message corresponding to the first quintuple of information is received.
Meanwhile, in order to effectively use each storage unit in the register, the information stored in each storage unit may be subjected to aging processing, specifically, a countdown timer may be set in each storage unit, and set to a set time length, and the set time length may be set according to actual needs, for example, may be set to 30 seconds, 1 minute, and the like. The method includes the steps that whether the remaining time of a countdown timer arranged in each storage unit of a register is 0 or not can be polled regularly, if the countdown timer in a certain storage unit is 0, it is indicated that a message corresponding to quintuple information stored in the storage unit is not received within a set time length, aging processing can be directly carried out, and the information stored in the storage unit is cleared so as to be convenient for subsequent use.
When a message is collected according to at least one rule, the method for collecting messages according to different rules is also different, and the following description lists several rules:
first, if the rule is to collect the first N packets, the first N packets of the flow corresponding to the quintuple information are collected by counting.
Secondly, if the rule is that K messages are acquired at intervals of M, the first M messages corresponding to the quintuple information are judged not to be acquired through counting, then K messages are acquired, a counter is set to be 0 after every M + K messages, and circulation is carried out according to the rule.
Thirdly, if the rule is to collect TCP messages, the TCP control fields of the stream need to be accumulated, that is, the control fields of the new messages and the control fields stored in the register are subjected to bitwise or operation, and the accumulated control field information is uploaded.
Fourthly, if the rule is to collect the UDP packet, the control field information sent up is 0 because the UDP data stream has no control field.
Fifth, if the rule is to cut off the message, the original message is cut off with a specified length (byte).
According to the message collected by the one or more rules, firstly, one part of the message is mirrored, then the private UDP header and the collected information are added, and finally the message is sent to an analysis server for analysis in a UDP message format.
Based on the same inventive concept, an embodiment of the present invention provides a packet sampling apparatus, which is applied to a programmable logic device of a sampling device, and the structure of the apparatus is shown in fig. 2, and the apparatus includes:
a matching module 21, configured to match the received packet with a preset rule list;
a first determining module 22, configured to determine a register index according to the first quintuple information of the packet if it is determined that the packet matches at least one rule in the rule list;
and a second determining module 23, configured to determine whether to collect the packet according to at least one rule according to the first quintuple information and the second quintuple information stored in the storage unit corresponding to the register index.
According to the scheme, whether the message is acquired according to at least one rule is determined based on the first quintuple information of the message and the second quintuple information stored in the storage unit corresponding to the determined register index through the programmable logic device in the sampling equipment, and due to the fact that the programmable logic device is used, message sampling performance can be greatly improved, meanwhile, the participation of a CPU is not needed, CPU resources are greatly reduced, and acquisition cost is reduced.
Specifically, the first determining module 22 is configured to determine a register index according to the first quintuple information of the packet, and specifically configured to:
acquiring first quintuple information of a message;
performing hash operation on the first quintuple information to obtain a hash value;
the hash value is used as a register index.
Specifically, the second determining module 23 is configured to determine whether to collect the packet according to at least one rule according to the first quintuple information and the second quintuple information stored in the storage unit corresponding to the register index, and specifically configured to:
acquiring second quintuple information from a storage unit corresponding to the register index;
determining whether the second quintuple information is all 0;
if the second quintuple information is determined to be all 0, storing the first quintuple information in a storage unit, and collecting messages according to at least one rule;
if the second quintuple information is not determined to be 0 completely, determining whether the first quintuple information is the same as the second quintuple information or not, and if the first quintuple information is determined to be different from the second quintuple information, determining that a hash conflict exists and not collecting a message; and if the first quintuple information is determined to be the same as the second quintuple information, acquiring the message according to at least one rule.
Optionally, the method further includes:
and the setting module is used for setting a countdown timer with set time length in each storage unit of the register.
The processing module is used for resetting the countdown timer of the storage unit after the message is collected according to at least one rule; alternatively, whether or not the remaining time of the countdown timer set in each storage unit of the polling register is 0 is checked, and information in the storage unit in which the remaining time of the countdown timer is 0 is zeroed.
An electronic device is further provided in the embodiment of the present application, please refer to fig. 3, which includes a processor 310, a communication interface 320, a memory 330, and a communication bus 340, wherein the processor 310, the communication interface 320, and the memory 330 complete communication with each other through the communication bus 340.
A memory 330 for storing a computer program;
the processor 310 is configured to implement the message sampling method according to any of the above embodiments when executing the program stored in the memory 330.
The communication interface 320 is used for communication between the above-described electronic device and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
According to the scheme, whether the message is acquired according to at least one rule is determined based on the first quintuple information of the message and the second quintuple information stored in the storage unit corresponding to the determined register index through the programmable logic device in the sampling equipment, and due to the fact that the programmable logic device is used, message sampling performance can be greatly improved, meanwhile, the participation of a CPU is not needed, CPU resources are greatly reduced, and acquisition cost is reduced.
Accordingly, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute the message sampling method in any of the foregoing embodiments.
According to the scheme, whether the message is acquired according to at least one rule is determined based on the first quintuple information of the message and the second quintuple information stored in the storage unit corresponding to the determined register index through the programmable logic device in the sampling equipment, and due to the fact that the programmable logic device is used, message sampling performance can be greatly improved, meanwhile, the participation of a CPU is not needed, CPU resources are greatly reduced, and acquisition cost is reduced.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While alternative embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following appended claims be interpreted as including alternative embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.
Claims (10)
1. A message sampling method is applied to a programmable logic device of sampling equipment, and is characterized by comprising the following steps:
matching the received message with a preset rule list;
if the message is determined to be matched with at least one rule in the rule list, determining a register index according to first quintuple information of the message;
and determining whether to collect the message according to the at least one rule according to the first quintuple information and second quintuple information stored in a storage unit corresponding to the register index.
2. The method of claim 1, wherein determining a register index according to the first quintuple information of the packet specifically comprises:
acquiring first quintuple information of the message;
performing hash operation on the first quintuple information to obtain a hash value;
and taking the hash value as a register index.
3. The method according to claim 1 or 2, wherein determining whether to collect the packet according to the at least one rule according to the first quintuple information and second quintuple information stored in the storage unit corresponding to the register index specifically includes:
acquiring second quintuple information from a storage unit corresponding to the register index;
determining whether the second quintuple information is all 0;
if the second quintuple information is determined to be all 0, storing the first quintuple information in the storage unit, and collecting the message according to the at least one rule;
if the second quintuple information is not determined to be 0 completely, determining whether the first quintuple information is the same as the second quintuple information or not, and if the first quintuple information is determined to be different from the second quintuple information, determining that a hash collision exists and not collecting the message; and if the first quintuple information is determined to be the same as the second quintuple information, acquiring the message according to the at least one rule.
4. The method of claim 3, further comprising:
setting a countdown timer with set time length in each storage unit of the register;
resetting a countdown timer of the storage unit after the message is collected according to the at least one rule; or polling whether the remaining time of the countdown timer set in each storage unit of the register is 0 or not, and returning the information in the storage unit of which the remaining time of the countdown timer is 0 to zero.
5. A message sampling device is applied to a programmable logic device of sampling equipment, and is characterized by comprising:
the matching module is used for matching the received message with a preset rule list;
the first determining module is used for determining a register index according to the first quintuple information of the message if the message is determined to be matched with at least one rule in the rule list;
and the second determining module is used for determining whether to acquire the message according to the at least one rule according to the first quintuple information and second quintuple information stored in the storage unit corresponding to the register index.
6. The apparatus according to claim 5, wherein the first determining module is configured to determine a register index according to the first quintuple information of the packet, and is specifically configured to:
acquiring first quintuple information of the message;
performing hash operation on the first quintuple information to obtain a hash value;
and taking the hash value as a register index.
7. The apparatus according to claim 5 or 6, wherein the second determining module is configured to determine whether to collect the packet according to the at least one rule according to the first quintuple information and second quintuple information stored in the storage unit corresponding to the register index, and is specifically configured to:
acquiring second quintuple information from a storage unit corresponding to the register index;
determining whether the second quintuple information is all 0;
if the second quintuple information is determined to be all 0, storing the first quintuple information in the storage unit, and collecting the message according to the at least one rule;
if the second quintuple information is not determined to be 0 completely, determining whether the first quintuple information is the same as the second quintuple information or not, and if the first quintuple information is determined to be different from the second quintuple information, determining that a hash collision exists and not collecting the message; and if the first quintuple information is determined to be the same as the second quintuple information, acquiring the message according to the at least one rule.
8. The apparatus of claim 7, further comprising:
the setting module is used for setting a countdown timer with set duration in each storage unit of the register;
a processing module to: resetting a countdown timer of the storage unit after the message is collected according to the at least one rule; or polling whether the remaining time of the countdown timer set in each storage unit of the register is 0 or not, and returning the information in the storage unit of which the remaining time of the countdown timer is 0 to zero.
9. An electronic device, characterized in that the electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-4 when executing a program stored on a memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911333217.3A CN110995546B (en) | 2019-12-23 | 2019-12-23 | Message sampling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911333217.3A CN110995546B (en) | 2019-12-23 | 2019-12-23 | Message sampling method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110995546A CN110995546A (en) | 2020-04-10 |
| CN110995546B true CN110995546B (en) | 2022-02-25 |
Family
ID=70073869
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911333217.3A Active CN110995546B (en) | 2019-12-23 | 2019-12-23 | Message sampling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995546B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113824605B (en) * | 2020-06-18 | 2025-01-07 | 中兴通讯股份有限公司 | Network flow sampling method, network device and storage medium |
| CN113132367B (en) * | 2021-04-09 | 2024-02-23 | 国网电力科学研究院有限公司 | Engineering monitoring-oriented data transmission self-adaptive method and device for Internet of things acquisition terminal |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN105337991A (en) * | 2015-11-23 | 2016-02-17 | 湖南戎腾网络科技有限公司 | Integrated message flow searching and updating method |
| CN107786447A (en) * | 2017-11-09 | 2018-03-09 | 锐捷网络股份有限公司 | A kind of message forwarding method and equipment based on FPGA |
| CN108540350A (en) * | 2018-04-20 | 2018-09-14 | 济南浪潮高新科技投资发展有限公司 | A kind of network flow preprocess method based on FPGA |
| CN109274593A (en) * | 2018-08-31 | 2019-01-25 | 新华三信息安全技术有限公司 | A kind of information storage means and device |
| CN110191109A (en) * | 2019-05-17 | 2019-08-30 | 杭州迪普信息技术有限公司 | A kind of packet sampling method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102016205827B3 (en) * | 2016-04-07 | 2017-08-17 | Volkswagen Aktiengesellschaft | Method, device, vehicle and central office for determining a timeliness of a local user setting |
-
2019
- 2019-12-23 CN CN201911333217.3A patent/CN110995546B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN105337991A (en) * | 2015-11-23 | 2016-02-17 | 湖南戎腾网络科技有限公司 | Integrated message flow searching and updating method |
| CN107786447A (en) * | 2017-11-09 | 2018-03-09 | 锐捷网络股份有限公司 | A kind of message forwarding method and equipment based on FPGA |
| CN108540350A (en) * | 2018-04-20 | 2018-09-14 | 济南浪潮高新科技投资发展有限公司 | A kind of network flow preprocess method based on FPGA |
| CN109274593A (en) * | 2018-08-31 | 2019-01-25 | 新华三信息安全技术有限公司 | A kind of information storage means and device |
| CN110191109A (en) * | 2019-05-17 | 2019-08-30 | 杭州迪普信息技术有限公司 | A kind of packet sampling method and device |
Non-Patent Citations (1)
| Title |
|---|
| 基于NetFlow的网络数据流量采集器;刘付斌;《测控技术》;20140118;第33卷(第1期);112-114 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110995546A (en) | 2020-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220394316A1 (en) | Message sending method and device, readable medium and electronic device | |
| CN112804121B (en) | TTE network transmission delay test system and method | |
| CN108810116B (en) | Message processing method and related product | |
| CN110519290A (en) | Anomalous traffic detection method, device and electronic equipment | |
| CN111209998B (en) | Training method and device of machine learning model based on data type | |
| CN108259426B (en) | A DDoS attack detection method and device | |
| CN112434039A (en) | Data storage method, device, storage medium and electronic device | |
| CN110995546B (en) | Message sampling method and device | |
| WO2021088484A1 (en) | Network delay detection method and related device | |
| CN110751045B (en) | Fault recording method, system and terminal equipment | |
| CN110944016A (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN108989881A (en) | A kind of main broadcaster's state determines method and device | |
| CN106911927A (en) | Assess method, device and the DPI equipment of Internet video user experience quality | |
| CN114785567A (en) | Traffic identification method, device, equipment and medium | |
| CN113285918A (en) | ACL (access control list) filtering table item establishing method and device for network attack | |
| CN111064719B (en) | Method and device for detecting abnormal downloading behavior of file | |
| CN113810336A (en) | Data message encryption determination method and device and computer equipment | |
| CN111552566B (en) | Data processing system, method, electronic equipment and storage medium | |
| CN116996446B (en) | Hash load balancing method, device, equipment and medium | |
| CN117319312B (en) | Data flow control method and device | |
| CN117081844A (en) | Network attack detection method, device, equipment and medium | |
| CN110138892B (en) | Method and device for determining equipment regional information | |
| CN117118739A (en) | Evaluation method and device of network security rules, storage medium and electronic equipment | |
| CN112804145B (en) | Flow statistical method and device based on segmented identification list | |
| CN116545668A (en) | Method and device for judging server attack, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |