CN111917835A - A system, method and device for monitoring network data - Google Patents

A system, method and device for monitoring network data Download PDF

Info

Publication number
CN111917835A
CN111917835A CN202010668703.7A CN202010668703A CN111917835A CN 111917835 A CN111917835 A CN 111917835A CN 202010668703 A CN202010668703 A CN 202010668703A CN 111917835 A CN111917835 A CN 111917835A
Authority
CN
China
Prior art keywords
data
mirror
protocol
monitoring
format
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010668703.7A
Other languages
Chinese (zh)
Inventor
李刚
赵军
候俊峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Skyguard Network Security Technology Co ltd
Original Assignee
Beijing Skyguard Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Skyguard Network Security Technology Co ltd filed Critical Beijing Skyguard Network Security Technology Co ltd
Priority to CN202010668703.7A priority Critical patent/CN111917835A/en
Publication of CN111917835A publication Critical patent/CN111917835A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种监控网络数据的系统、方法和装置,涉及计算机技术领域。该方法的一具体实施方式包括:利用数据获取和分析工具,根据自定义的传输协议处理待监控的网络镜像数据,通过合并数据和调整数据传输频率降低了系统缓存以及镜像数据传输的资源开销,提高了系统的稳定性和监控数据的效率,并通过合并处理基于传输控制协议的多次连接,提高了镜像数据传输效率;通过还原包含自定义的传输协议的镜像数据为标准传输控制协议的数据格式,并建立基于应用层协议的虚拟连接,使镜像数据可以兼容第三方网络应用层分析应用,提高了监控网络镜像数据的灵活性。

Figure 202010668703

The invention discloses a system, method and device for monitoring network data, and relates to the technical field of computers. A specific implementation of the method includes: using a data acquisition and analysis tool to process the network mirror data to be monitored according to a self-defined transmission protocol, and reducing the resource overhead of system cache and mirror data transmission by combining data and adjusting the data transmission frequency, Improve the stability of the system and the efficiency of monitoring data, and improve the transmission efficiency of mirror data by combining multiple connections based on the transmission control protocol; by restoring the mirror data containing the custom transmission protocol to the data of the standard transmission control protocol Format, and establish a virtual connection based on the application layer protocol, so that the mirror data can be compatible with third-party network application layer analysis applications, and improve the flexibility of monitoring network mirror data.

Figure 202010668703

Description

一种监控网络数据的系统、方法和装置A system, method and device for monitoring network data

技术领域technical field

本发明涉及计算机技术领域,尤其涉及一种监控网络数据的系统、方法和装置。The present invention relates to the field of computer technology, and in particular, to a system, method and device for monitoring network data.

背景技术Background technique

在当今互联网时代,数据安全和信息安全已经成为企业所必须关注的问题,通常对于数据流量监控的方案是在企业的主干网络上,将需要分析的网络流量旁路镜像给网络安全监控设备处理,这样可以保证用户正常业务流量不受影响,同时网络安全监控设备又能及时分析旁路镜像的网络数据流量,并将数据流量的风险反馈给网络管理员;安全产品分析旁路镜像流量的方案通常主要是以传统基于Linux系统的内核模块(kernel-module)的方式实现,即在Linux系统内核中实现数据流量识别和抓取,然后将抓取的数据流量转发给网络应用程序进行分析,当发现数据安全等风险时生成数据风险通知给运维人员。In today's Internet era, data security and information security have become issues that enterprises must pay attention to. Usually, the solution for data traffic monitoring is to bypass the mirror image of the network traffic that needs to be analyzed on the backbone network of the enterprise to the network security monitoring equipment for processing. In this way, the normal business traffic of users is not affected, and the network security monitoring device can analyze the network data traffic of the bypass mirror in time, and feed back the risk of the data traffic to the network administrator; the solution for security products to analyze the bypass mirror traffic is usually It is mainly implemented in the way of traditional Linux-based kernel module (kernel-module), that is to realize data traffic identification and capture in the Linux system kernel, and then forward the captured data traffic to network applications for analysis. When there are risks such as data security, a data risk notification is generated to the operation and maintenance personnel.

在实现本发明过程中,发明人发现现有技术中至少存在如下问题:In the process of realizing the present invention, the inventor found that there are at least the following problems in the prior art:

当待监控的镜像数据流量较大时,利用内核模块(kernel-module)监控网络数据的方式为获取全部旁路镜像数据而未做处理,因而需要在内核中申请大量空间来缓存未及时处理的数据,造成内核内存使用率可能过高,带来因为资源消耗过高造成的系统稳定性问题,影响了监控镜像数据的效率;并且镜像数据主要基于传输控制协议传输的,因此在内核模块中为了判断数据的有效性,需要处理数据的多次连接,增加了镜像数据处理的复杂度;内核模块由于运行在Linux系统上,造成移植性差,进而增大了监控镜像数据的复杂度。When the traffic of the mirror data to be monitored is large, the method of using the kernel-module to monitor the network data is to obtain all the bypass mirror data without processing it. Therefore, it is necessary to apply for a large amount of space in the kernel to cache the data that has not been processed in time. Data, the kernel memory usage rate may be too high, causing system stability problems due to high resource consumption, affecting the efficiency of monitoring mirrored data; and mirrored data is mainly transmitted based on the transmission control protocol, so in the kernel module in order to To judge the validity of the data, it is necessary to process multiple connections of the data, which increases the complexity of mirror data processing; the kernel module runs on the Linux system, resulting in poor portability, which in turn increases the complexity of monitoring mirror data.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明实施例提供一种监控网络数据的系统、方法和装置,利用数据获取和分析工具,根据自定义的传输协议对监控的镜像数据进行处理,通过合并数据和调整数据传输频率降低了系统缓存以及镜像数据传输的资源开销,提高了系统的稳定性和监控数据的效率,并通过合并处理基于传输控制协议的多次连接,提高了镜像数据传输效率;通过还原包含自定义的传输协议的镜像数据为标准传输控制协议的数据格式,并建立基于应用层协议的虚拟连接,使镜像数据可以兼容第三方网络应用层分析应用,提高了监控镜像数据的灵活性。In view of this, the embodiments of the present invention provide a system, method and device for monitoring network data, using data acquisition and analysis tools to process the monitored mirror data according to a self-defined transmission protocol, by combining data and adjusting the data transmission frequency. It reduces the resource overhead of system cache and mirror data transmission, improves the stability of the system and the efficiency of monitoring data, and improves the transmission efficiency of mirror data by combining multiple connections based on the transmission control protocol; The mirror data of the transmission protocol is the data format of the standard transmission control protocol, and the virtual connection based on the application layer protocol is established, so that the mirror data can be compatible with the third-party network application layer analysis application, and the flexibility of monitoring the mirror data is improved.

为实现上述目的,根据本发明实施例的一个方面,提供了一种监控网络数据的系统,其特征在于,包括:数据获取单元和数据监控单元模,其中:In order to achieve the above object, according to an aspect of the embodiments of the present invention, a system for monitoring network data is provided, which is characterized by comprising: a data acquisition unit and a data monitoring unit module, wherein:

所述数据获取单元用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;The data acquisition unit is configured to acquire mirror data matching the data acquisition strategy from the data exchange server according to the data acquisition strategy; the mirror data includes the data format of the transmission control protocol; based on the self-defined transmission protocol, the mirror data is Data is converted into intermediate data containing the custom transmission protocol format;

所述数据监控单元用于接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。The data monitoring unit is configured to receive the intermediate data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror data is When it matches the set monitoring policy, send monitoring prompt information.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接。Based on the application layer protocol identifier contained in the target mirror data, a virtual connection based on the application layer protocol of the target mirror data is established.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:在所述数据获取单元中设置数据过滤单元,所述数据过滤单元用于基于数据传输的网络地址设置数据获取策略。According to the data acquisition policy, acquiring mirror data matching the data acquisition policy from the data exchange server includes: setting a data filtering unit in the data acquisition unit, where the data filtering unit is configured to set data based on a network address of data transmission Get strategy.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据,包括:基于自定义传输协议合并至少两组所述镜像数据,生成一组包含所述自定义传输协议格式的所述中间数据。Based on a custom transmission protocol, converting the mirror data into intermediate data in the format of the custom transmission protocol includes: combining at least two sets of the mirror data based on the custom transmission protocol, and generating a set containing the custom transmission protocol The intermediate data in the protocol format.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

根据包含所述自定义传输协议格式的一组所述中间数据的尺寸,确定发送一组所述中间数据到所述数据监控单元的发送频率。According to the size of a set of the intermediate data including the custom transmission protocol format, the sending frequency of sending a set of the intermediate data to the data monitoring unit is determined.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

合并处理所述镜像数据中包含的基于传输控制协议的多次连接。The multiple connections based on the transmission control protocol contained in the mirror data are combined and processed.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

所述数据获取单元与所述数据处理单元运行于同一台物理设备。The data acquisition unit and the data processing unit run on the same physical device.

可选地,所述监控网络数据的系统,其特征在于,Optionally, the system for monitoring network data is characterized in that:

所述数据获取单元与所述数据处理单元利用本地长连接进行数据传输。The data acquisition unit and the data processing unit use a local long connection for data transmission.

为实现上述目的,根据本发明实施例的第二方面,提供了一种监控网络数据的方法,其特征在于,包括:根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;并发送所述中间数据;接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。In order to achieve the above object, according to a second aspect of the embodiments of the present invention, a method for monitoring network data is provided, characterized in that, the method includes: acquiring, according to a data acquisition policy, a mirror image matching the data acquisition policy from a data exchange server data; the mirror data includes the data format of the transmission control protocol; based on a custom transmission protocol, convert the mirror data into intermediate data including the custom transmission protocol format; and send the intermediate data; receive the intermediate data data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format to form target mirror data; monitor the target mirror data, when the target mirror data matches the set monitoring strategy, send monitoring prompt information.

可选地,所述监控网络数据的方法,其特征在于,Optionally, the method for monitoring network data is characterized in that:

基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接。Based on the application layer protocol identifier contained in the target mirror data, a virtual connection based on the application layer protocol of the target mirror data is established.

可选地,所述监控网络数据的方法,其特征在于,Optionally, the method for monitoring network data is characterized in that:

根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:基于数据传输的网络地址设置数据获取策略。According to the data acquisition policy, acquiring mirror data matching the data acquisition policy from the data exchange server includes: setting the data acquisition policy based on the network address of data transmission.

可选地,所述监控网络数据的方法,其特征在于,Optionally, the method for monitoring network data is characterized in that:

基于自定义传输协议处理所述镜像数据,生成包含所述自定义传输协议格式的中间数据,包括:基于自定义传输协议合并至少两组所述镜像数据,生成一组包含所述自定义传输协议格式的所述中间数据。Processing the mirror data based on a custom transmission protocol to generate intermediate data in the format of the custom transmission protocol, comprising: combining at least two sets of the mirror data based on the custom transmission protocol, and generating a set of data containing the custom transmission protocol format of the intermediate data.

可选地,所述监控网络数据的方法,其特征在于,Optionally, the method for monitoring network data is characterized in that:

根据包含所述自定义传输协议格式的一组所述中间数据的尺寸,确定发送一组所述中间数据的发送频率。According to the size of a set of the intermediate data including the custom transmission protocol format, the sending frequency of sending a set of the intermediate data is determined.

可选地,所述监控网络数据的方法,其特征在于,Optionally, the method for monitoring network data is characterized in that:

合并处理所述镜像数据中包含的基于传输控制协议的多次连接。The multiple connections based on the transmission control protocol contained in the mirror data are combined and processed.

可选地,所述监控网络数据的方法,其特征在于,Optionally, the method for monitoring network data is characterized in that:

利用本地长连接,发送或接收所述中间数据。The intermediate data is sent or received using a local persistent connection.

为实现上述目的,根据本发明实施例的第三方面,提供了一种监控网络数据的装置,其特征在于,包括:数据获取模块和数据监控模块;其中,In order to achieve the above object, according to a third aspect of the embodiments of the present invention, a device for monitoring network data is provided, which is characterized by comprising: a data acquisition module and a data monitoring module; wherein,

所述数据获取模块用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;并发送所述中间数据;The data acquisition module is used to acquire mirror data matching the data acquisition strategy from the data exchange server according to the data acquisition strategy; the mirror data includes the data format of the transmission control protocol; based on the self-defined transmission protocol, the mirror data is converting the data into intermediate data containing the custom transmission protocol format; and sending the intermediate data;

所述数据监控模块用于接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。The data monitoring module is configured to receive the intermediate data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror data is When it matches the set monitoring policy, send monitoring prompt information.

可选地,所述监控网络数据的装置,其特征在于,Optionally, the device for monitoring network data is characterized in that:

基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接。Based on the application layer protocol identifier contained in the target mirror data, a virtual connection based on the application layer protocol of the target mirror data is established.

可选地,所述监控网络数据的装置,其特征在于,Optionally, the device for monitoring network data is characterized in that:

根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:基于数据传输的网络地址设置数据获取策略。According to the data acquisition policy, acquiring mirror data matching the data acquisition policy from the data exchange server includes: setting the data acquisition policy based on the network address of data transmission.

可选地,所述监控网络数据的装置,其特征在于,Optionally, the device for monitoring network data is characterized in that:

基于自定义传输协议处理所述镜像数据,生成包含所述自定义传输协议格式的中间数据,包括:基于自定义传输协议合并至少两组所述镜像数据,生成一组包含所述自定义传输协议格式的所述中间数据。Processing the mirror data based on a custom transmission protocol to generate intermediate data in the format of the custom transmission protocol, comprising: combining at least two sets of the mirror data based on the custom transmission protocol, and generating a set of data containing the custom transmission protocol format of the intermediate data.

可选地,所述监控网络数据的装置,其特征在于,Optionally, the device for monitoring network data is characterized in that:

根据包含所述自定义传输协议格式的一组所述中间数据的尺寸,确定发送一组所述中间数据的发送频率。According to the size of a set of the intermediate data including the custom transmission protocol format, the sending frequency of sending a set of the intermediate data is determined.

可选地,所述监控网络数据的装置,其特征在于,Optionally, the device for monitoring network data is characterized in that:

合并处理所述镜像数据中包含的基于传输控制协议的多次连接。The multiple connections based on the transmission control protocol contained in the mirror data are combined and processed.

可选地,所述监控网络数据的装置,其特征在于,Optionally, the device for monitoring network data is characterized in that:

利用本地长连接,发送或接收所述中间数据。The intermediate data is sent or received using a local persistent connection.

为实现上述目的,根据本发明实施例的第四方面,提供了一种监控网络数据的电子设备,其特征在于,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如上述监控网络数据的方法中任一所述的方法。In order to achieve the above object, according to a fourth aspect of the embodiments of the present invention, an electronic device for monitoring network data is provided, which is characterized by comprising: one or more processors; and a storage device for storing one or more programs , when the one or more programs are executed by the one or more processors, so that the one or more processors implement the method described in any one of the above methods for monitoring network data.

为实现上述目的,根据本发明实施例的第五方面,提供了一种计算机可读介质,其上存储有计算机程序,其特征在于,所述程序被处理器执行时实现如上述监控网络数据的方法中任一所述的方法。In order to achieve the above object, according to a fifth aspect of the embodiments of the present invention, a computer-readable medium is provided on which a computer program is stored, wherein the program is executed by the processor to realize the above-mentioned monitoring network data. The method of any one of the methods.

上述发明中的一个实施例具有如下优点或有益效果:利用数据获取和分析工具,根据自定义的传输协议处理待监控的网络镜像数据,通过合并数据和调整数据传输频率降低了系统缓存以及镜像数据传输的资源开销,提高了系统的稳定性,并通过合并基于传输控制协议的三次握手和四次挥手的过程,提高了镜像数据传输效率;通过还原包含自定义的传输协议的镜像数据为标准传输控制协议的数据格式,并建立基于应用层协议的虚拟连接,使镜像数据可以兼容第三方网络应用层数据分析应用,提高了监控网络镜像数据的可移植性和灵活性。An embodiment of the above invention has the following advantages or beneficial effects: using data acquisition and analysis tools, processing network mirror data to be monitored according to a self-defined transmission protocol, and reducing system cache and mirror data by merging data and adjusting data transmission frequency The resource overhead of transmission improves the stability of the system, and improves the transmission efficiency of mirror data by combining the three-way handshake and four-way wave process based on the transmission control protocol; by restoring the mirror data containing the custom transmission protocol as standard transmission Control the data format of the protocol, and establish a virtual connection based on the application layer protocol, so that the mirror data can be compatible with third-party network application layer data analysis applications, and improve the portability and flexibility of monitoring network mirror data.

上述的非惯用的可选方式所具有的进一步效果将在下文中结合具体实施方式加以说明。Further effects of the above non-conventional alternatives will be described below in conjunction with specific embodiments.

附图说明Description of drawings

附图用于更好地理解本发明,不构成对本发明的不当限定。其中:The accompanying drawings are used for better understanding of the present invention and do not constitute an improper limitation of the present invention. in:

图1是本发明一个实施例提供的一种监控网络数据的系统的结构示意图;1 is a schematic structural diagram of a system for monitoring network data provided by an embodiment of the present invention;

图2是本发明一个实施例提供的一种监控网络数据的系统的示意图;2 is a schematic diagram of a system for monitoring network data provided by an embodiment of the present invention;

图3是本发明一个实施例提供的一种监控网络数据的方法的流程示意图;3 is a schematic flowchart of a method for monitoring network data provided by an embodiment of the present invention;

图4是本发明一个实施例提供的一种监控网络数据的装置的示意图;4 is a schematic diagram of an apparatus for monitoring network data provided by an embodiment of the present invention;

图5是本发明实施例可以应用于其中的示例性系统架构图;5 is an exemplary system architecture diagram to which an embodiment of the present invention may be applied;

图6是适于用来实现本发明实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 6 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的示范性实施例做出说明,其中包括本发明实施例的各种细节以助于理解,应当将它们认为仅仅是示范性的。因此,本领域普通技术人员应当认识到,可以对这里描述的实施例做出各种改变和修改,而不会背离本发明的范围和精神。同样,为了清楚和简明,以下的描述中省略了对公知功能和结构的描述。Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, which include various details of the embodiments of the present invention to facilitate understanding and should be considered as exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted from the following description for clarity and conciseness.

如图1所示,本发明实施例提供了一种监控网络数据的系统100的结构示意图,包括数据获取单元101和数据监控单元102。As shown in FIG. 1 , an embodiment of the present invention provides a schematic structural diagram of a system 100 for monitoring network data, including a data acquisition unit 101 and a data monitoring unit 102 .

所述数据获取单元101用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据。The data acquisition unit 101 is configured to acquire mirror data matching the data acquisition strategy from the data exchange server according to the data acquisition strategy; the mirror data includes the data format of the transmission control protocol; The mirror data is converted into intermediate data containing the custom transmission protocol format.

具体地,安全产品服务器通常利用旁路镜像流量的方式获取数据流量来分析和监控数据安全性,在本发明的一个实施例中,运行于安全产品服务器中的数据获取单元,根据数据获取单元,从交换服务器获取镜像数据,例如:通过交换机的网卡获取镜像数据;所述数据获取策略为预先设定的策略,用来确定数据获取单元所获取到的数据以及数据的来源,例如,可以设定策略为基于数据传输的网络地址获取镜像数据,进一步地,由数据过滤单元设置数据获取策略;例如:数据获取策略为获取来自一个网段172.168.*.*的数据,或者获取关联于某个IP(互联网协议)地址的端口号(例如:端口号为80)的数据等;所述数据获取策略根据企业的具体业务场景而设定,本发明对镜像数据获取策略的具体内容不做限定。即,根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:在所述数据获取单元中设置数据过滤单元,所述数据过滤单元用于基于数据传输的网络地址设置数据获取策略。Specifically, the security product server usually obtains data traffic by bypassing mirror traffic to analyze and monitor data security. In an embodiment of the present invention, the data acquisition unit running in the security product server, according to the data acquisition unit, Obtain the mirror data from the exchange server, for example: obtain the mirror data through the network card of the switch; the data acquisition strategy is a preset strategy, which is used to determine the data acquired by the data acquisition unit and the source of the data, for example, it can be set The strategy is to acquire mirror data based on the network address of data transmission, and further, the data acquisition strategy is set by the data filtering unit; for example, the data acquisition strategy is to acquire data from a network segment 172.168.*.*, or to acquire data associated with a certain IP (Internet Protocol) address port number (for example: port number 80) data, etc.; the data acquisition strategy is set according to the specific business scenario of the enterprise, and the present invention does not limit the specific content of the mirror data acquisition strategy. That is, according to the data acquisition policy, acquiring mirror data matching the data acquisition policy from the data exchange server includes: setting a data filtering unit in the data acquisition unit, where the data filtering unit is used for a network address based on data transmission Set the data acquisition policy.

进一步地,本发明的一个实施例使用PF_RING工具所提供的驱动、Libpcap软件包、以及BRO工具(为一种数据包流量分析工具)相结合的方案实现镜像数据的获取,可以理解的是,利用本方案,代替通常使用的Kernel-Module数据获取方式,克服了现有的内核模块(Kernel-Module)方案的缺陷。Further, an embodiment of the present invention uses the combination of the driver provided by the PF_RING tool, the Libpcap software package, and the BRO tool (which is a packet flow analysis tool) to achieve the acquisition of mirror data. It can be understood that using This solution, instead of the commonly used Kernel-Module data acquisition method, overcomes the defects of the existing Kernel-Module solution.

具体地,PF_RING为数据包捕获技术工具包,利用PF_RING包含的驱动所提供的底层套接字缓冲区机制,可以较高效率接收交换机的网卡数据,并可以通过适配缓冲区的大小缓存大量数据,从而不需要系统内核模块(Kernel-Module)方案的从套接字的缓冲区向用户空间缓冲区拷贝镜像数据的过程,提高了镜像数据的接收效率。进一步地,利用Libpcap软件包的接口获取镜像数据,Libpcap软件包为基于PF_RING包含的驱动接口重新编译,进而提供各种标准的镜像数据获取接口,从而解决了BRO工具需要做适配而形成的移植性问题,提高了BRO工具的灵活性与易用性从而保证了数据获取应用的稳定性;进一步地,利用BRO工具,根据数据获取策略过滤流量;例如,数据获取策略为:tcp port 80,即指示为获取TCP(传输控制协议)协议端口为80的镜像数据;即,根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据。Specifically, PF_RING is a packet capture technology toolkit. Using the underlying socket buffer mechanism provided by the driver included in PF_RING, it can efficiently receive the network card data of the switch, and can cache a large amount of data by adapting the size of the buffer. , so that the process of copying mirror data from the socket buffer to the user space buffer in the system kernel module (Kernel-Module) scheme is not required, which improves the receiving efficiency of mirror data. Further, the image data is obtained by using the interface of the Libpcap software package. The Libpcap software package is recompiled based on the driver interface contained in PF_RING, and then provides various standard image data acquisition interfaces, thereby solving the need for BRO tools to be adapted. This improves the flexibility and ease of use of the BRO tool to ensure the stability of the data acquisition application; further, the BRO tool is used to filter traffic according to the data acquisition strategy; for example, the data acquisition strategy is: tcp port 80, that is The instruction is to acquire mirror data with a TCP (Transmission Control Protocol) protocol port of 80; that is, according to the data acquisition policy, acquire mirror data matching the data acquisition policy from the data exchange server.

进一步地,所述镜像数据为基于传输控制协议的数据格式;基于自定义传输协议处理所述镜像数据,生成基于所述自定义传输协议格式的中间数据;具体地,数据传输惯用的传输层协议是TCP(Transmis sion Control Protocol,TCP,传输控制协议),一般企业网络所监控和检测应用层数据流量通常将TCP协议作为传输协议,应用层的协议类型包括:HTTP协议(Hypertext Transfer Protocol,超文本传输协议),FTP协议(File TransferProtocol,文件传输协议),SNMP协议(Sim ple Network Management Protocol,简单网络管理协议),IMAP协议(Internet Message Access Protocol,互联网信息访问协议),POP3协议(Post Office Protocol 3,邮局协议版本3)等;通过获取基于T CP协议(即,传输控制协议)的数据格式的镜像数据,并发送给的数据监控单元做进一步地镜像数据的监控和分析;进一步地,所述数据获取单元基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;具体地,自定义传输协议,例如本发明的一个实施例为自定义TCP-Replay协议,用于将获取到的多组镜像数据进行合并、重新组合,生成包含所述自定义传输协议格式的中间数据;并通过本地长连接(例如:unix-socket)的序列包方式传递给数据处理模块做进一步地数据处理,降低了网络套接字资源的消耗;提高了镜像数据传输效率;即,所述数据获取模块与所述数据处理模块利用本地长连接进行数据传输。即,基于自定义传输协议处理所述镜像数据,生成基于所述自定义传输协议格式的中间数据,包括:基于自定义传输协议合并至少两组所述镜像数据,生成一组基于所述自定义传输协议格式的所述中间数据。可以理解的是,通过合并多组镜像数据,降低了传输镜像数据的网络资源的开销。进一步地,根据中间数据的尺寸和网络资源的可用率,确定发送所述中间数据给数据处理模块的频率,其中,网络数据的尺寸为网络数据的大小(例如,1GB,500MB等);例如当中间数据的尺寸较大时,可以减少发送中间数据的频率,用于减少网络资源的拥塞;即,基于自定义传输协议处理所述镜像数据,生成基于所述自定义传输协议格式的中间数据,还包括:根据一组基于所述自定义传输协议格式的所述中间数据的尺寸,确定发送所述中间数据到所述数据处理模块的发送频率。Further, the mirror data is a data format based on a transmission control protocol; the mirror data is processed based on a self-defined transmission protocol, and the intermediate data based on the self-defined transmission protocol format is generated; It is TCP (Transmission Control Protocol, TCP, Transmission Control Protocol). Generally, the data traffic of the application layer monitored and detected by the enterprise network usually uses the TCP protocol as the transmission protocol. The protocol types of the application layer include: HTTP protocol (Hypertext Transfer Protocol, hypertext). Transmission Protocol), FTP Protocol (File Transfer Protocol, File Transfer Protocol), SNMP Protocol (Simple Network Management Protocol, Simple Network Management Protocol), IMAP Protocol (Internet Message Access Protocol, Internet Information Access Protocol), POP3 Protocol (Post Office Protocol) 3, Post Office Protocol version 3) etc.; by obtaining the mirror data of the data format based on the TCP protocol (that is, the transmission control protocol), and sending the data monitoring unit to further monitor and analyze the mirror data; The data acquisition unit converts the mirror data into intermediate data including the self-defined transmission protocol format based on the self-defined transmission protocol; specifically, the self-defined transmission protocol, for example, an embodiment of the present invention is a self-defined TCP-Replay The protocol is used to merge and recombine the obtained multiple sets of mirror data to generate intermediate data including the custom transmission protocol format; and transmit the data to the data through the serial packet method of the local long connection (for example: unix-socket). The processing module performs further data processing, which reduces the consumption of network socket resources; improves the transmission efficiency of mirrored data; that is, the data acquisition module and the data processing module use a local long connection for data transmission. That is, processing the mirror data based on a custom transmission protocol, and generating intermediate data based on the custom transmission protocol format, includes: combining at least two sets of the mirror data based on the custom transmission protocol, and generating a set of data based on the custom transmission protocol. The intermediate data in a transport protocol format. It can be understood that, by combining multiple sets of mirror data, the overhead of network resources for transmitting mirror data is reduced. Further, the frequency of sending the intermediate data to the data processing module is determined according to the size of the intermediate data and the availability rate of network resources, wherein the size of the network data is the size of the network data (for example, 1GB, 500MB, etc.); for example, when When the size of the intermediate data is large, the frequency of sending the intermediate data can be reduced, so as to reduce the congestion of network resources; that is, the mirror data is processed based on the custom transmission protocol, and the intermediate data based on the format of the custom transmission protocol is generated, The method also includes: determining a sending frequency for sending the intermediate data to the data processing module according to a set of sizes of the intermediate data based on the custom transmission protocol format.

进一步地,在BRO工具中可以识别、合并基于传输控制协议的关于体现三次握手和四次挥手(即,多次连接)的数据包,降低了接收镜像数据的应用的处理复杂度,提高了监控镜像数据的效率;即,合并处理所述镜像数据中包含的基于传输控制协议的多次连接。Further, in the BRO tool, it is possible to identify and combine the data packets based on the transmission control protocol about the three-way handshake and the four-way wave (ie, multiple connections), which reduces the processing complexity of the application receiving the mirror data and improves the monitoring. Efficiency of mirrored data; that is, the combined processing of multiple Transmission Control Protocol-based connections contained in the mirrored data.

所述数据监控单元102用于接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。The data monitoring unit 102 is configured to receive the intermediate data, convert the custom transmission protocol format included in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror When the data matches the set monitoring strategy, send monitoring prompt information.

具体地,所述数据监控单元102接收中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;本发明的一个实施例中,所述数据监控单元运行于ATS(Apache Traffic Server,ATS),通过本地长连接(unix-socket)从BRO接收中间数据,先根据TCP-Replay协议将中间数据转换为基于TCP协议格式的目标镜像数据,数据转换的过程包括解数据包并还原数据;进一步地,基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接;具体地,所述数据监控单元包括应用层的网络分析应用,用于监控和分析目标镜像数据。因此,通过基于所述目标镜像数据包含的应用层协议标识(例如,HTTP协议标识),建立所述目标镜像数据基于应用层协议(例如,HTTP协议)的虚拟连接;从而可以兼容运行于ATS之上的第三方网络分析应用,提高了监控数据的兼容性和灵活性;其中,在生成应用层协议的虚拟连接时,可以利用ATS所包含的事件模拟功能指示所述目标镜像数据为镜像数据属性。使用的方法可以通过适配ATS中存在的异步事件处理系统,添加指示镜像数据属性的代码。所述网络分析应用通过分析所述目标镜像数据,根据设定的监控策略,例如包括分析策略、安全风险触发条件等,当所述目标镜像数据匹配于设定的监控策略时,生成并发送监控提示信息,监控提示信息例如日志信息、告警文本等。并通过邮件、事件通知、短信等方式发送监控提示信息给发送相关运维人员;即,监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。本发明对设定的监控策略的具体内容、监控提示信息的具体内容以及发送监控提示信息的具体方式均不作限定。Specifically, the data monitoring unit 102 receives the intermediate data, converts the custom transmission protocol format included in the intermediate data into a transmission control protocol format, and forms target mirror data; in an embodiment of the present invention, the data monitoring unit Runs on ATS (Apache Traffic Server, ATS), receives intermediate data from BRO through local long connection (unix-socket), first converts intermediate data into target mirror data based on TCP protocol format according to TCP-Replay protocol, the process of data conversion Including depacketizing and restoring data; further, based on the application layer protocol identification contained in the target mirror data, establish a virtual connection based on the application layer protocol of the target mirror data; specifically, the data monitoring unit includes an application layer protocol. A network analysis application for monitoring and analyzing target mirror data. Therefore, based on the application layer protocol identification (for example, HTTP protocol identification) contained in the target mirror data, a virtual connection based on the application layer protocol (for example, the HTTP protocol) of the target mirror data is established; thus, it can be compatible with the ATS. The third-party network analysis application on the network improves the compatibility and flexibility of the monitoring data; wherein, when generating the virtual connection of the application layer protocol, the event simulation function included in the ATS can be used to indicate that the target mirror data is the mirror data attribute . The method used can add code indicating the attributes of the mirrored data by adapting the asynchronous event handling system existing in the ATS. The network analysis application analyzes the target mirror data, and according to the set monitoring strategy, for example, including the analysis strategy, security risk trigger conditions, etc., when the target mirror data matches the set monitoring strategy, generates and sends the monitoring strategy. Prompt information, monitoring prompt information such as log information, alarm text, etc. And send monitoring prompt information to relevant operation and maintenance personnel through email, event notification, short message, etc.; that is, monitor the target mirror data, and send monitoring prompt information when the target mirror data matches the set monitoring strategy. The present invention does not limit the specific content of the set monitoring strategy, the specific content of the monitoring prompt information, and the specific manner of sending the monitoring prompt information.

优选地,所述数据获取单元与所述数据处理单元运行于同一台物理设备。例如:所述数据获取单元与所述数据处理单元运行于同一台用于监控网络数据(网络数据即为镜像数据)的物理设备上,例如:个人电脑、服务器等。可以理解的是,通过所述数据获取单元与所述数据处理单元运行于同一台物理设备,利用本地长连接传输镜像数据,提高了镜像数据的传输效率和传输稳定性,进而提高了监控数据的效率。进一步地,图2示出了上述所描述的基于BRO、ATS的一个实施例的示意结构图。Preferably, the data acquisition unit and the data processing unit run on the same physical device. For example, the data acquisition unit and the data processing unit run on the same physical device for monitoring network data (network data is mirror data), such as a personal computer, a server, and the like. It can be understood that, by running the data acquisition unit and the data processing unit on the same physical device, and using the local long connection to transmit the mirror data, the transmission efficiency and transmission stability of the mirror data are improved, thereby improving the monitoring data. efficiency. Further, FIG. 2 shows a schematic structural diagram of an embodiment based on the BRO and ATS described above.

如图3所示,本发明实施例提供了一种监控网络数据的方法的流程示意图,该方法包括如下步骤:As shown in FIG. 3 , an embodiment of the present invention provides a schematic flowchart of a method for monitoring network data. The method includes the following steps:

步骤S301:根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;并发送所述中间数据。Step S301: According to the data acquisition policy, acquire mirror data matching the data acquisition policy from the data exchange server; the mirror data includes the data format of the transmission control protocol; based on the custom transmission protocol, convert the mirror data to include intermediate data in the custom transmission protocol format; and sending the intermediate data.

具体地,关于获取和转换镜像数据的描述与数据获取单元101的描述一致,在此不再赘述。Specifically, the description about acquiring and converting the mirror data is consistent with the description of the data acquiring unit 101 , and details are not repeated here.

步骤S302:接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。Step S302: Receive the intermediate data, convert the custom transmission protocol format included in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror data matches the set When the monitoring policy is specified, the monitoring prompt information is sent.

具体地,关于监控镜像数据,包括接收和处理镜像数据的描述与数据监控单元102的描述一致,在此不再赘述。Specifically, the description of monitoring mirror data, including receiving and processing mirror data, is consistent with the description of the data monitoring unit 102 , and details are not repeated here.

如图4所示,本发明实施例提供了一种监控网络数据的装置400的结构示意图,包括:数据获取模块401和数据监控模块402,其中,As shown in FIG. 4, an embodiment of the present invention provides a schematic structural diagram of an apparatus 400 for monitoring network data, including: a data acquisition module 401 and a data monitoring module 402, wherein,

所述数据获取模块401用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;并发送所述中间数据;The data acquisition module 401 is configured to acquire mirror data matching the data acquisition strategy from the data exchange server according to the data acquisition strategy; the mirror data includes the data format of the transmission control protocol; Converting the mirror data into intermediate data including the custom transmission protocol format; and sending the intermediate data;

所述数据监控模块402用于接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接;基于所述目标镜像数据进行数据分析和监控。The data monitoring module 402 is configured to receive the intermediate data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format, and form target mirror data; based on the application layer protocol identifier contained in the target mirror data , establishing a virtual connection of the target mirror data based on an application layer protocol; and performing data analysis and monitoring based on the target mirror data.

可选地,所述数据获取模块401,还用于基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接。Optionally, the data acquisition module 401 is further configured to establish a virtual connection of the target mirror data based on the application layer protocol based on the application layer protocol identifier included in the target mirror data.

可选地,所述数据获取模块401,还用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:基于数据传输的网络地址设置数据获取策略。Optionally, the data acquisition module 401 is further configured to acquire mirror data matching the data acquisition policy from the data exchange server according to the data acquisition policy, including: setting the data acquisition policy based on the network address of data transmission.

可选地,所述数据获取模块401,还用于基于自定义传输协议处理所述镜像数据,生成包含所述自定义传输协议格式的中间数据,包括:基于自定义传输协议合并至少两组所述镜像数据,生成一组包含所述自定义传输协议格式的所述中间数据。Optionally, the data acquisition module 401 is further configured to process the mirror data based on a custom transmission protocol, and generate intermediate data including the format of the custom transmission protocol, including: combining at least two groups of data based on the custom transmission protocol. The mirror data is generated, and a set of intermediate data including the custom transmission protocol format is generated.

可选地,所述数据获取模块401,还用于根据包含所述自定义传输协议格式的一组所述中间数据的尺寸,确定发送一组所述中间数据的发送频率。Optionally, the data acquisition module 401 is further configured to determine the sending frequency for sending a set of the intermediate data according to the size of the set of intermediate data including the custom transmission protocol format.

可选地,所述数据获取模块401,还用于合并处理所述镜像数据中包含的基于传输控制协议的多次连接。Optionally, the data acquisition module 401 is further configured to combine and process multiple connections based on the transmission control protocol contained in the mirror data.

可选地,所述数据获取模块401,还用于利用本地长连接,发送或接收所述中间数据。Optionally, the data acquisition module 401 is further configured to send or receive the intermediate data by using a local persistent connection.

本发明实施例还提供了一种监控网络数据的电子设备,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述任一实施例提供的方法。An embodiment of the present invention further provides an electronic device for monitoring network data, including: one or more processors; and a storage device for storing one or more programs, when the one or more programs are used by the one or more programs Multiple processors execute, so that the one or more processors implement the method provided by any of the above embodiments.

本发明实施例还提供了一种计算机可读介质,其上存储有计算机程序,所述程序被处理器执行时实现上述任一实施例提供的方法。An embodiment of the present invention further provides a computer-readable medium, on which a computer program is stored, and when the program is executed by a processor, implements the method provided by any of the foregoing embodiments.

图5示出了可以应用本发明实施例的监控网络数据的方法或监控网络数据的装置的示例性系统架构500。FIG. 5 shows an exemplary system architecture 500 of a method for monitoring network data or an apparatus for monitoring network data to which embodiments of the present invention may be applied.

如图5所示,系统架构500可以包括终端设备501、502、503,网络504和服务器505。网络504用以在终端设备501、502、503和服务器505之间提供通信链路的介质。网络504可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 5 , the system architecture 500 may include terminal devices 501 , 502 , and 503 , a network 504 and a server 505 . The network 504 is a medium used to provide a communication link between the terminal devices 501 , 502 , 503 and the server 505 . Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

用户可以使用终端设备501、502、503通过网络504与服务器505交互,以接收或发送消息等。终端设备501、502、503上可以安装有各种客户端应用,例如网页浏览器应用、搜索类应用、即时通信工具和邮箱客户端等。The user can use the terminal devices 501, 502, 503 to interact with the server 505 through the network 504 to receive or send messages and the like. Various client applications may be installed on the terminal devices 501 , 502 and 503 , such as web browser applications, search applications, instant messaging tools, and email clients.

终端设备501、502、503可以是具有显示屏并且支持网页浏览的各种电子设备,包括但不限于智能手机、平板电脑、膝上型便携计算机和台式计算机等等。The terminal devices 501, 502, 503 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop computers, desktop computers, and the like.

服务器505可以是提供各种服务的服务器,例如对用户利用终端设备501、502、503所生成的网络数据提供监控的后台管理服务器。后台管理服务器可以对接收到的镜像数据进行分析和监控等处理,并将监控提示信息反馈给终端设备。The server 505 may be a server that provides various services, for example, a background management server that provides monitoring for the network data generated by the terminal devices 501 , 502 , and 503 for users. The background management server can analyze and monitor the received mirror data, and feed back the monitoring prompt information to the terminal device.

需要说明的是,本发明实施例所提供的监控网络数据的方法一般由服务器505执行,相应地监控网络数据的装置一般设置于服务器505中。It should be noted that the method for monitoring network data provided by the embodiment of the present invention is generally executed by the server 505 , and a corresponding apparatus for monitoring network data is generally set in the server 505 .

应该理解,图5中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be understood that the numbers of terminal devices, networks and servers in FIG. 5 are only illustrative. There can be any number of terminal devices, networks and servers according to implementation needs.

下面参考图6,其示出了适于用来实现本发明实施例的终端设备的计算机系统600的结构示意图。图6示出的终端设备仅仅是一个示例,不应对本发明实施例的功能和使用范围带来任何限制。Referring to FIG. 6 below, it shows a schematic structural diagram of a computer system 600 suitable for implementing a terminal device according to an embodiment of the present invention. The terminal device shown in FIG. 6 is only an example, and should not impose any limitations on the functions and scope of use of the embodiments of the present invention.

如图6所示,计算机系统600包括中央处理单元(CPU)601,其可以根据存储在只读存储器(ROM)602中的程序或者从存储部分608加载到随机访问存储器(RAM)603中的程序而执行各种适当的动作和处理。在RAM 603中,还存储有系统600操作所需的各种程序和数据。CPU 601、ROM 602以及RAM 603通过总线604彼此相连。输入/输出(I/O)接口605也连接至总线604。As shown in FIG. 6, a computer system 600 includes a central processing unit (CPU) 601, which can be loaded into a random access memory (RAM) 603 according to a program stored in a read only memory (ROM) 602 or a program from a storage section 608 Instead, various appropriate actions and processes are performed. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601 , the ROM 602 , and the RAM 603 are connected to each other through a bus 604 . An input/output (I/O) interface 605 is also connected to bus 604 .

以下部件连接至I/O接口605:包括键盘、鼠标等的输入部分606;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分607;包括硬盘等的存储部分608;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分609。通信部分609经由诸如因特网的网络执行通信处理。驱动器610也根据需要连接至I/O接口605。可拆卸介质611,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器610上,以便于从其上读出的计算机程序根据需要被安装入存储部分608。The following components are connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc. ; and a communication section 609 including a network interface card such as a LAN card, a modem, and the like. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I/O interface 605 as needed. A removable medium 611, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 610 as needed so that a computer program read therefrom is installed into the storage section 608 as needed.

特别地,根据本发明公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本发明公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分609从网络上被下载和安装,和/或从可拆卸介质611被安装。在该计算机程序被中央处理单元(CPU)601执行时,执行本发明的系统中限定的上述功能。In particular, the processes described above with reference to the flowcharts may be implemented as computer software programs in accordance with the disclosed embodiments of the present invention. For example, embodiments disclosed herein include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 609 and/or installed from the removable medium 611 . When the computer program is executed by the central processing unit (CPU) 601, the above-described functions defined in the system of the present invention are performed.

需要说明的是,本发明所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本发明中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本发明中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the present invention may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Programmable read only memory (EPROM or flash memory), fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In the present invention, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present invention, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

附图中的流程图和框图,图示了按照本发明各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more logical functions for implementing the specified functions executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented in special purpose hardware-based systems that perform the specified functions or operations, or can be implemented using A combination of dedicated hardware and computer instructions is implemented.

描述于本发明实施例中所涉及到的模块和/或单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的模块和/或单元也可以设置在处理器中,例如,可以描述为:一种处理器包括数据获取模块和数据监控模块。其中,这些模块的名称在某种情况下并不构成对该模块本身的限定,例如,数据监控模块还可以被描述为“接收并处理镜像数据,根据设定的监控策略,监控所述镜像数据的模块”。The modules and/or units involved in the embodiments of the present invention may be implemented in a software manner, and may also be implemented in a hardware manner. The described modules and/or units can also be provided in the processor, for example, it can be described as: a processor includes a data acquisition module and a data monitoring module. Among them, the names of these modules do not constitute a limitation of the module itself under certain circumstances. For example, the data monitoring module can also be described as "receiving and processing mirror data, and monitoring the mirror data according to the set monitoring strategy. module".

作为另一方面,本发明还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的设备中所包含的;也可以是单独存在,而未装配入该设备中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被一个该设备执行时,使得该设备包括:利用数据获取和分析工具,根据自定义的传输协议处理待监控的镜像数据,通过合并数据和调整数据传输频率降低了系统缓存以及镜像数据传输的资源开销,提高了系统的稳定性和监控网络数据的效率,并通过合并处理基于传输控制协议的多次连接,提高了镜像数据传输效率;通过还原包含自定义的传输协议的镜像数据为标准传输控制协议的数据格式,并建立基于应用层协议的虚拟连接,使镜像数据可以兼容第三方网络应用层分析应用,提高了监控镜像数据的灵活性。As another aspect, the present invention also provides a computer-readable medium, which may be included in the device described in the above embodiments; or may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by a device, the device includes: using a data acquisition and analysis tool to process the image to be monitored according to a self-defined transmission protocol Data, by combining data and adjusting the data transmission frequency, the resource overhead of system cache and mirror data transmission is reduced, the stability of the system and the efficiency of monitoring network data are improved, and multiple connections based on the transmission control protocol are combined to improve the performance. Mirror data transmission efficiency; by restoring the mirror data containing the custom transmission protocol to the data format of the standard transmission control protocol, and establishing a virtual connection based on the application layer protocol, the mirror data can be compatible with third-party network application layer analysis applications, improving the performance. Flexibility to monitor mirrored data.

上述具体实施方式,并不构成对本发明保护范围的限制。本领域技术人员应该明白的是,取决于设计要求和其他因素,可以发生各种各样的修改、组合、子组合和替代。任何在本发明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明保护范围之内。The above-mentioned specific embodiments do not constitute a limitation on the protection scope of the present invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modifications, equivalent replacements and improvements made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (18)

1.一种监控网络数据的系统,其特征在于,包括:数据获取单元和数据监控单元,其中:1. a system for monitoring network data, comprising: a data acquisition unit and a data monitoring unit, wherein: 所述数据获取单元用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;The data acquisition unit is configured to acquire mirror data matching the data acquisition strategy from the data exchange server according to the data acquisition strategy; the mirror data includes the data format of the transmission control protocol; based on the self-defined transmission protocol, the mirror data is Data is converted into intermediate data containing the custom transmission protocol format; 所述数据监控单元用于接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。The data monitoring unit is configured to receive the intermediate data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror data is When it matches the set monitoring policy, send monitoring prompt information. 2.根据权利要求1所述的系统,其特征在于,2. The system of claim 1, wherein: 基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接。Based on the application layer protocol identifier contained in the target mirror data, a virtual connection based on the application layer protocol of the target mirror data is established. 3.根据权利要求1所述的系统,其特征在于,3. The system of claim 1, wherein: 根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:在所述数据获取单元中设置数据过滤单元,所述数据过滤单元用于基于数据传输的网络地址设置数据获取策略。According to the data acquisition policy, acquiring mirror data matching the data acquisition policy from the data exchange server includes: setting a data filtering unit in the data acquisition unit, where the data filtering unit is configured to set data based on a network address of data transmission Get strategy. 4.根据权利要求1所述的系统,其特征在于,4. The system of claim 1, wherein: 基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据,包括:Based on the custom transmission protocol, the image data is converted into intermediate data including the format of the custom transmission protocol, including: 基于自定义传输协议合并至少两组所述镜像数据,生成一组包含所述自定义传输协议格式的所述中间数据。Combine at least two sets of the mirror data based on a custom transmission protocol to generate a set of the intermediate data in the format of the custom transmission protocol. 5.根据权利要求4所述的系统,其特征在于,5. The system of claim 4, wherein: 根据包含所述自定义传输协议格式的一组所述中间数据的尺寸,确定发送一组所述中间数据到所述数据监控单元的发送频率。According to the size of a set of the intermediate data including the custom transmission protocol format, the sending frequency of sending a set of the intermediate data to the data monitoring unit is determined. 6.根据权利要求1所述的系统,其特征在于,6. The system of claim 1, wherein: 合并处理所述镜像数据中包含的基于传输控制协议的多次连接。The multiple connections based on the transmission control protocol contained in the mirror data are combined and processed. 7.根据权利要求1所述的系统,其特征在于,7. The system of claim 1, wherein: 所述数据获取单元与所述数据处理单元运行于同一台物理设备。The data acquisition unit and the data processing unit run on the same physical device. 8.根据权利要求7所述的系统,其特征在于,8. The system of claim 7, wherein: 所述数据获取单元与所述数据处理单元利用本地长连接进行数据传输。The data acquisition unit and the data processing unit use a local long connection for data transmission. 9.一种监控网络数据的方法,其特征在于,包括:9. A method for monitoring network data, comprising: 根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;并发送所述中间数据;According to the data acquisition strategy, the mirror data matching the data acquisition strategy is obtained from the data exchange server; the mirror data includes the data format of the transmission control protocol; based on the custom transmission protocol, the mirror data is converted to include the self Define the intermediate data in the format of the transmission protocol; and send the intermediate data; 接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。Receive the intermediate data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror data matches the set monitoring strategy , send monitoring prompt information. 10.根据权利要求9所述的方法,其特征在于,10. The method of claim 9, wherein: 基于所述目标镜像数据包含的应用层协议标识,建立所述目标镜像数据基于应用层协议的虚拟连接。Based on the application layer protocol identifier contained in the target mirror data, a virtual connection based on the application layer protocol of the target mirror data is established. 11.根据权利要求9所述的方法,其特征在于,11. The method of claim 9, wherein: 根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据,包括:基于数据传输的网络地址设置数据获取策略。According to the data acquisition policy, acquiring mirror data matching the data acquisition policy from the data exchange server includes: setting the data acquisition policy based on the network address of data transmission. 12.根据权利要求9所述的方法,其特征在于,12. The method of claim 9, wherein: 基于自定义传输协议处理所述镜像数据,生成包含所述自定义传输协议格式的中间数据,包括:Process the mirror data based on the custom transmission protocol, and generate intermediate data including the format of the custom transmission protocol, including: 基于自定义传输协议合并至少两组所述镜像数据,生成一组包含所述自定义传输协议格式的所述中间数据。Combine at least two sets of the mirror data based on a custom transmission protocol to generate a set of the intermediate data in the format of the custom transmission protocol. 13.根据权利要求12所述的方法,其特征在于,13. The method of claim 12, wherein 根据包含所述自定义传输协议格式的一组所述中间数据的尺寸,确定发送一组所述中间数据的发送频率。According to the size of a set of the intermediate data including the custom transmission protocol format, the sending frequency of sending a set of the intermediate data is determined. 14.根据权利要求9所述的方法,其特征在于,14. The method of claim 9, wherein: 合并处理所述镜像数据中包含的基于传输控制协议的多次连接。The multiple connections based on the transmission control protocol contained in the mirror data are combined and processed. 15.根据权利要求9所述的方法,其特征在于,15. The method of claim 9, wherein: 利用本地长连接,发送或接收所述中间数据。The intermediate data is sent or received using a local persistent connection. 16.一种监控网络数据的装置,其特征在于,包括:数据获取模块和数据监控模块;其中,16. A device for monitoring network data, comprising: a data acquisition module and a data monitoring module; wherein, 所述数据获取模块用于根据数据获取策略,从数据交换服务器获取匹配于所述数据获取策略的镜像数据;所述镜像数据包含传输控制协议的数据格式;基于自定义传输协议,将所述镜像数据转换为包含所述自定义传输协议格式的中间数据;并发送所述中间数据;The data acquisition module is used to acquire mirror data matching the data acquisition strategy from the data exchange server according to the data acquisition strategy; the mirror data includes the data format of the transmission control protocol; based on the self-defined transmission protocol, the mirror data is converting the data into intermediate data containing the custom transmission protocol format; and sending the intermediate data; 所述数据监控模块用于接收所述中间数据,将所述中间数据包含的自定义传输协议格式转换为传输控制协议格式,形成目标镜像数据;监控所述目标镜像数据,当所述目标镜像数据匹配于设定的监控策略时,发送监控提示信息。The data monitoring module is configured to receive the intermediate data, convert the custom transmission protocol format contained in the intermediate data into a transmission control protocol format, and form target mirror data; monitor the target mirror data, when the target mirror data is When it matches the set monitoring policy, send monitoring prompt information. 17.一种电子设备,其特征在于,包括:17. An electronic device, characterized in that, comprising: 一个或多个处理器;one or more processors; 存储装置,用于存储一个或多个程序,storage means for storing one or more programs, 当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求9-15中任一所述的方法。The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 9-15. 18.一种计算机可读介质,其上存储有计算机程序,其特征在于,所述程序被处理器执行时实现如权利要求9-15中任一所述的方法。18. A computer-readable medium on which a computer program is stored, characterized in that, when the program is executed by a processor, the method according to any one of claims 9-15 is implemented.
CN202010668703.7A 2020-07-13 2020-07-13 A system, method and device for monitoring network data Pending CN111917835A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010668703.7A CN111917835A (en) 2020-07-13 2020-07-13 A system, method and device for monitoring network data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010668703.7A CN111917835A (en) 2020-07-13 2020-07-13 A system, method and device for monitoring network data

Publications (1)

Publication Number Publication Date
CN111917835A true CN111917835A (en) 2020-11-10

Family

ID=73228054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010668703.7A Pending CN111917835A (en) 2020-07-13 2020-07-13 A system, method and device for monitoring network data

Country Status (1)

Country Link
CN (1) CN111917835A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113515482A (en) * 2021-09-14 2021-10-19 北京国科天迅科技有限公司 Data transmission system, method, computer device and storage medium
CN114826916A (en) * 2021-01-28 2022-07-29 阿里巴巴集团控股有限公司 Data transmission method, device, system and computer storage medium
CN116033038A (en) * 2022-12-28 2023-04-28 山东省水利勘测设计院有限公司 A water network project dispatching operation monitoring data sharing method

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633110A (en) * 2005-01-14 2005-06-29 中国科学院计算技术研究所 Flow Analysis Method Based on Linux Kernel
CN101488960A (en) * 2009-03-04 2009-07-22 哈尔滨工程大学 Apparatus and method for TCP protocol and data recovery based on parallel processing
CN101841470A (en) * 2010-03-29 2010-09-22 东南大学 High-speed capturing method of bottom-layer data packet based on Linux
CN102638487A (en) * 2011-03-02 2012-08-15 中国科学院地质与地球物理研究所 High-performance data transmission method for large telemetric seismic instrument
CN103997439A (en) * 2014-06-04 2014-08-20 腾讯科技(深圳)有限公司 Flow monitoring method, device and system
CN104394211A (en) * 2014-11-21 2015-03-04 浪潮电子信息产业股份有限公司 Hadoop-based user behavior analysis system design and implementation method
CN106656838A (en) * 2016-10-19 2017-05-10 赛尔网络有限公司 Data flow analyzing method and system
CN107426017A (en) * 2017-06-26 2017-12-01 杭州沃趣科技股份有限公司 A kind of method for carrying out data analysis by gathering switch network flow
CN108023767A (en) * 2017-11-29 2018-05-11 四川无声信息技术有限公司 Internet behavior method for tracing, device and server
CN108600053A (en) * 2018-05-10 2018-09-28 南京邮电大学 A kind of wireless network data Packet capturing method based on zero duplication technology
CN109768899A (en) * 2018-12-26 2019-05-17 北京奇安信科技有限公司 Website Usability monitoring method, device, equipment and medium
CN110401642A (en) * 2019-07-10 2019-11-01 浙江中烟工业有限责任公司 A method for collecting and analyzing industrial control traffic

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633110A (en) * 2005-01-14 2005-06-29 中国科学院计算技术研究所 Flow Analysis Method Based on Linux Kernel
CN101488960A (en) * 2009-03-04 2009-07-22 哈尔滨工程大学 Apparatus and method for TCP protocol and data recovery based on parallel processing
CN101841470A (en) * 2010-03-29 2010-09-22 东南大学 High-speed capturing method of bottom-layer data packet based on Linux
CN102638487A (en) * 2011-03-02 2012-08-15 中国科学院地质与地球物理研究所 High-performance data transmission method for large telemetric seismic instrument
CN103997439A (en) * 2014-06-04 2014-08-20 腾讯科技(深圳)有限公司 Flow monitoring method, device and system
CN104394211A (en) * 2014-11-21 2015-03-04 浪潮电子信息产业股份有限公司 Hadoop-based user behavior analysis system design and implementation method
CN106656838A (en) * 2016-10-19 2017-05-10 赛尔网络有限公司 Data flow analyzing method and system
CN107426017A (en) * 2017-06-26 2017-12-01 杭州沃趣科技股份有限公司 A kind of method for carrying out data analysis by gathering switch network flow
CN108023767A (en) * 2017-11-29 2018-05-11 四川无声信息技术有限公司 Internet behavior method for tracing, device and server
CN108600053A (en) * 2018-05-10 2018-09-28 南京邮电大学 A kind of wireless network data Packet capturing method based on zero duplication technology
CN109768899A (en) * 2018-12-26 2019-05-17 北京奇安信科技有限公司 Website Usability monitoring method, device, equipment and medium
CN110401642A (en) * 2019-07-10 2019-11-01 浙江中烟工业有限责任公司 A method for collecting and analyzing industrial control traffic

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826916A (en) * 2021-01-28 2022-07-29 阿里巴巴集团控股有限公司 Data transmission method, device, system and computer storage medium
CN113515482A (en) * 2021-09-14 2021-10-19 北京国科天迅科技有限公司 Data transmission system, method, computer device and storage medium
CN116033038A (en) * 2022-12-28 2023-04-28 山东省水利勘测设计院有限公司 A water network project dispatching operation monitoring data sharing method
CN116033038B (en) * 2022-12-28 2025-01-28 山东省水利勘测设计院有限公司 A method for sharing water network project dispatching and operation monitoring data

Similar Documents

Publication Publication Date Title
CN108173938B (en) Server load distribution method and device
CN111917835A (en) A system, method and device for monitoring network data
CN113364804B (en) Method and device for processing flow data
WO2020097063A1 (en) Identifying network issues using an agentless probe and end-point network locations
CN113382062A (en) Data transmission method, device and system
CN113438256B (en) Data transmission method, system and proxy server based on double-layer SSL
CN114785854A (en) Service request processing method, device, equipment, storage medium and product
CN110311946A (en) Method, device and system for secure processing of business data based on cloud computing
CN113595927A (en) Method and device for processing mirror flow in bypass mode
CN111866100A (en) Method, device and system for controlling data transmission rate
CN115412326A (en) Abnormal flow detection method, device, electronic equipment and storage medium
CN115277506B (en) Load balancing equipment testing method and system
US9450906B2 (en) Managing a messaging queue in an asynchronous messaging system
WO2018032953A1 (en) Windows window sharing method, gateway server, system, storage media
CN112436951A (en) Method and device for predicting flow path
CN113079055B (en) AGV operation data dynamic acquisition method and device
CN110391950A (en) A kind of application service test method and device
US10901820B1 (en) Error state message management
CN114912111A (en) Cloud host virus detection method, device and system
CN114285805A (en) QUIC message filtering method, system, equipment and medium
CN114125066A (en) A method and device for processing service requests
CN112152915A (en) Message forwarding gateway system and message forwarding method
CN114598524B (en) Method, device, equipment and storage medium for detecting agent tool
CN113422716B (en) Mail security control method and system
CN116260855B (en) Communication method, communication device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201110