CN103856474A - Method and device for processing network data - Google Patents
Method and device for processing network dataDownload PDFInfo
- Publication number
- CN103856474A CN103856474ACN201210551542.9ACN201210551542ACN103856474ACN 103856474 ACN103856474 ACN 103856474ACN 201210551542 ACN201210551542 ACN 201210551542ACN 103856474 ACN103856474 ACN 103856474A
- Authority
- CN
- China
- Prior art keywords
- data
- buffering area
- network
- address information
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Technical field
Embodiments of the invention relate generally to computer network field, and more specifically, relate to the method and apparatus for network data processing.
Background technology
Exist many network applications may need the data to receiving by network to process.For example, in Network Intrusion Detection System, specific user's application may need the network data to receiving via network adapter to detect, to determine in these network datas whether contain aggressive character, waste advertisements etc. maliciously or invalid information.And this data are usually a large amount of.
One skilled in the art will appreciate that task or process are divided into kernel state and user's state in such as a lot of operating system such as Unix, Linux.When a task execution system calls and enters while carrying out in kernel code, just claim this process in kernel run mode (or referred to as kernel state).Otherwise, when process is in the time that execution user applies the code of oneself, claim it in user's run mode (user's state).
Traditionally, the network data receiving via network adapter for example, is stored in the buffering area of system kernel with the form of packet (, SKB bag).In the time that user's application need to detect these network datas, application need to be carried out by means of system call the data copy from inner nuclear layer to application layer, and the state correspondingly occurring between kernel state and user's state switches.In the time existing a large amount of network datas to process and to check, system call and state switch and will significantly reduce systematic function frequently.
And, in prior art for preserving the normally queue form of kernel buffers of network data.In the time there is high amount of traffic, may cause because buffering area is full packet loss.This causes upper layer application cannot detect exactly and/or stop potential network intrusions.
Summary of the invention
In view of the above-mentioned problems in the prior art, in this area, need a kind of more efficiently network data processing scheme.
In a first aspect of the present invention, provide a kind of method for the treatment of network data.The method comprises: the data that receive from network by network adapter are stored in the first buffering area of system kernel; Address information by described data in described the first buffering area is stored in the second buffering area of described kernel; And to the address information in described the second buffering area is provided in the application of user's state, so that the data in the first buffering area are for processing described in described application access.
In a second aspect of the present invention, provide a kind of device for the treatment of network data.This device comprises: data storage cell, is configured to the data that receive from network by network adapter to be stored in the first buffering area of system kernel; Address storaging unit, is configured to the address information in described the first buffering area by described data and is stored in the second buffering area of described kernel; And address mapping unit, be configured to the address information in described the second buffering area is provided in the application of user's state, so that the data in the first buffering area are for processing described in described application access.
By below describing in detail and will be understood that, according to embodiments of the invention, can effectively reduce the switching being applied between kernel state and user's state, reduce the number of times of data copy, thereby effectively improve the performance of network data processing.And embodiments of the invention can effectively be avoided the data packet loss causing because of buffer overflow.
Brief description of the drawings
Read detailed description below by reference to accompanying drawing, above-mentioned and other objects of the embodiment of the present invention, feature and advantage will become easy to understand.In the accompanying drawings, show some embodiment of the present invention in exemplary and nonrestrictive mode, wherein:
Fig. 1 shows the flow chart of themethod 100 for the treatment of network data according to an illustrative embodiment of the invention;
Fig. 2 shows the block diagram of thedevice 200 for the treatment of network data according to an illustrative embodiment of the invention; And
Fig. 3 shows the block diagram that is suitable for the exemplary computer system for realizing the embodiment of thepresent invention 300.
In the accompanying drawings, same or analogous label represents same or analogous element.
Embodiment
Some exemplary embodiments are below with reference to the accompanying drawings described principle of the present invention and spirit.Should be appreciated that providing these embodiment is only used to make those skilled in the art can understand better and then realize the present invention, and not limit the scope of the invention by any way.
In the following description, the system of receiving network data may be described as based on Linux or Unix, but this is only exemplary.In fact, embodiments of the invention can be applicable to any suitable system known or that develop in the future at present.
First with reference to figure 1, it shows the flow chart of themethod 100 for the treatment of network data according to an illustrative embodiment of the invention.
Aftermethod 100 starts, at step S101, the data that receive from network by network adapter are stored in the first buffering area of system kernel.
Traditionally in the system such as based on Linux, the network data receiving from network adapter is stored in the buffering area (being called " intrinsic buffering area ") of kernel, so that the application of user's state is accessed in the mode of data copy by system call.According to embodiments of the invention, in step S101, can be independent of the intrinsic protocol family of system and be used for storing the buffering area of data for storing the first buffering area of data.
According to some embodiment of the present invention,method 100 can realize by means of new protocol family.This protocol family can coexist with the intrinsic protocol family of linux system.In this case, the data that receive from network adapter will be stored in the first buffering area and intrinsic buffering area the two.Alternatively, the protocol family ofimplementation method 100 also can substitute the intrinsic protocol family of linux system.In this case, data are only stored in the first buffering area.
Alternatively, according to some embodiment of the present invention, also can directly use the intrinsic kernel buffers of linux system as the first buffering area, for preserving the data that receive from network.Scope of the present invention is unrestricted in this regard.
Next,method 100 proceeds to step S102, and at this, by the data that receive, the address information in the first buffering area is stored in the second buffering area of kernel.
The same with the first buffering area, the second buffering area is arranged in kernel equally.But what preserve in the second buffering area is not the data itself that receive, but the address information of data in the first buffering area.For example, according to some embodiment, the address information of data in the first buffering area comprises the pointer that points to this address.Other forms of address information is feasible equally.
Especially, according to some embodiment of the present invention, the second buffering area can comprise circle queue.Compared with common first in first out (FIFO) queue, circle queue can be processed large-scale input data better, places due to the large concurrent packet loss causing of flow.And according to embodiments of the invention, length can dynamically be adjusted along with the change of storage resources in the second buffering area, thus the demand of adaptation different pieces of information amount.
Next,method 100 proceeds to step S103, at this to providing the address information in the second buffering area in the application of user's state, so that the data in described application access the first buffering area are for processing.
As mentioned above, at legacy network Data processing, the network data receiving is stored in kernel buffers, in the time that upper-layer user's application program need to be accessed these data, this application carrys out executing data copy by means of system call, thereby the data in kernel buffers is copied in the buffering area of user's application.This will cause the remarkable reduction of systematic function in the situation that of large-scale concurrent data flow.
In contrast, what offer user's state application at step S103 is not data itself, but address information in the second buffering area, for example pointer.In other words, according to embodiments of the invention, between the second buffering area of save data memory address and the upper layer application of user's state, have an Address Mapping, by means of this mechanism, the address information of data in the first buffering area is provided for upper layer application.According to some embodiment, can utilize memory-mapped mechanism in Linux or Unix system to realize address information in the second buffering area to the sending of application, this is known to those skilled in the art.Certainly, other any suitable modes are also believable.
Note, according to embodiments of the invention, at step S103, can provide in response to the request of upper layer application the address information of data from the second buffering area to application.Alternatively, the second buffering area also can be on one's own initiative, and (for example, regular) provides the address information of data to application.
After application address acquisition information, just can by means of this address information directly from the first buffering area of kernel visit data so as to process, for example carry out data analysis and/or filter to determine whether these data are representing malicious act or potential network intrusions.
It will be appreciated by those skilled in the art that according to embodiments of the invention, application is different from the data copy by means of system call according to address information technically to the access of data in the first buffering area.By means of the data access of the address informations such as pointer without the switching of carrying out kernel state and user's state.Thus, embodiments of the invention copy without two secondary data of the prior art, but utilize memory-mapped mechanism to allow the application access of user's state to be stored in the data in kernel, have avoided state frequently to switch.
According to embodiments of the invention, after upper layer application obtains data, can carry out various analyses to these data.For example, can identify and accurately obtain the content that user submits to by means of the backstage list being provided by network provider.And, according to embodiments of the invention, can be with carrying out data filtering fast by means of the matching mechanisms of monotype regular expression or multi-mode regular expression.Alternatively or additionally, can adopt cluster to carry out distributed reception and analytical auditing information, thus the action of the malicious act of analysis user, etc.Foregoing is only exemplary, and application can be carried out any suitable processing and analyze for various objects the data of obtaining.
Below with reference to Fig. 2, it shows the block diagram of thedevice 200 for the treatment of network data according to an illustrative embodiment of the invention.
As shown in the figure,device 200 comprisesdata storage cell 201, is configured to the data that receive from network by network adapter to be stored in the first buffering area ofdevice kernel.Device 200 also comprisesaddress storaging unit 202, is configured to the address information in described the first buffering area by described data and is stored in the second buffering area of described kernel.In addition,device 200 also comprisesaddress mapping unit 203, is configured to the address information in described the second buffering area is provided in the application of user's state, so that the data in the first buffering area are for processing described in described application access.
According to some embodiment of the present invention, the second buffering area can comprise circle queue.According to some embodiment of the present invention, address information can comprise the pointer that points to the data in described the first buffering area.According to some embodiment of the present invention, address mapping unit can comprise memory-mapped unit, and being configured to provides described address information by memory-mapped to described application.According to some embodiment of the present invention, system is the device based on Linux, and wherein said the first buffering area intrinsic protocol family of being independent of described system is used for storing the buffering area of described data.According to some embodiment of the present invention,device 200 also comprises: intrusion detecting unit (not shown), is configured to analyze described data to detect potential network intrusions.
For clarity, selectable unit or the subelement thatdevice 200 comprises is not shown in Fig. 2.Should be appreciated that unit thatdevice 200 comprises corresponds respectively to the corresponding steps of themethod 100 of describing with reference to figure 1 above.Thus, all features and the operation above described formethod 100 are equally applicable todevice 200, therefore do not repeat them here.
In addition, the division of the unit indevice 200 is not restrictive but exemplary, is intended to from describing in logic its major function or operation.Function at the individual unit shown in Fig. 2 can be realized by multiple unit.Otherwise, also can be realized by individual unit in the multiple unit shown in Fig. 2.Scope of the present invention is unrestricted in this regard.
According to embodiments of the invention,device 200 can utilize variety of way to realize.For example, in certain embodiments,device 200 can utilize software and/or firmware to realize.Alternatively or additionally,device 200 can partially or fully be realized based on hardware.For example,device 200 can be implemented as integrated circuit (IC) chip or application-specific integrated circuit (ASIC) (ASIC).Device 200 also can be implemented as SOC (system on a chip) (SOC).Other modes known or exploitation in the future are also feasible now, and scope of the present invention is unrestricted in this regard
Below with reference to Fig. 3, it shows the schematic block diagram that is suitable for the computer for putting into practice the embodiment of the present invention 300.As shown in the figure,computer 300 can comprise: CPU (CPU) 301, RAM (random access memory) 302, ROM (read-only memory) 303,system bus 304,hard disk controller 305,keyboard controller 306, serial interface controller 307, parallel interface controller 308,display controller 309,hard disk 310,keyboard 311. serialexternal equipments 312, parallelexternal equipment 313 and display 314.In these equipment, there areCPU 301,RAM 302,ROM 303,hard disk controller 305,keyboard controller 306, serialization controller 307, parallel controller 308 and adisplay controller 309 withsystem bus 304 is coupled.Hard disk 310 is coupled withhard disk controller 305,keyboard 311 is coupled withkeyboard controller 306, serialexternal equipment 312 is coupled with serial interface controller 307, and parallelexternal equipment 313 is coupled with parallel interface controller 308, anddisplay 314 is coupled with display controller 309.Should be appreciated that the structured flowchart described in Fig. 3 illustrates just to the object of example, instead of limitation of the scope of the invention.In some cases, can increase or reduce as the case may be some equipment.
As mentioned above,device 200 can be realized by hardware, such as chip, ASIC, SOC etc.These hardware can be integrated in computer 300.In addition, embodiments of the invention also can be realized by the form of computer program.For example, themethod 100 of describing with reference to figure 1 can realize by computer program.This computer program can be stored inexample RAM 304,ROM 304,hard disk 310 and/or any suitable storage medium as shown in Figure 3, or downloads tocomputer 300 from suitable position by network.Computer program can comprise computer code part, and it comprises the program command that can for example, be carried out by suitable treatment facility (, theCPU 301 shown in Fig. 3).Described program command at least can comprise the instruction for the step ofimplementation method 100.
It should be noted that embodiments of the invention can realize by the combination of hardware, software or software and hardware.Hardware components can utilize special logic to realize; Software section can be stored in memory, and by suitable instruction execution system, for example microprocessor or special designs hardware are carried out.Those having ordinary skill in the art will appreciate that above-mentioned equipment and method can and/or be included in processor control routine with computer executable instructions realizes, for example, at the mounting medium such as disk, CD or DVD-ROM, provide such code on such as the programmable memory of read-only memory (firmware) or the data medium such as optics or electronic signal carrier.Equipment of the present invention and module thereof can be by such as very lagre scale integrated circuit (VLSIC) or gate array, realize such as the semiconductor of logic chip, transistor etc. or such as the hardware circuit of the programmable hardware device of field programmable gate array, programmable logic device etc., also can use the software of being carried out by various types of processors to realize, also can be realized by for example firmware of the combination of above-mentioned hardware circuit and software.
The communication network of mentioning in specification can comprise disparate networks, include but not limited to local area network (LAN) (" LAN "), wide area network (" WAN "), according to the network of IP agreement (for example, internet) and ad-hoc network (for example, ad hoc peer-to-peer network).
Although it should be noted that some unit of having mentioned equipment in above-detailed, this division is only not enforceable.In fact,, according to embodiments of the invention, the feature of above-described two or more unit and function can be specialized in a unit.Otherwise, the feature of an above-described unit and function can Further Division for to be realized by multiple unit.
In addition, although described in the accompanying drawings the operation of the inventive method with particular order,, this not requires or hint must be carried out these operations according to this particular order, or the operation shown in must carrying out all could realize the result of expecting.On the contrary, the step of describing in flow chart can change execution sequence.Additionally or alternatively, can omit some step, multiple steps be merged into a step and carry out, and/or a step is decomposed into multiple steps carries out.
Although described the present invention with reference to some specific embodiments, should be appreciated that, the present invention is not limited to disclosed specific embodiment.The present invention is intended to contain interior included various amendments and the equivalent arrangements of spirit and scope of claims.The scope of claims meets the most wide in range explanation, thereby comprises all such amendments and equivalent structure and function.
Claims (12)
1. for the treatment of a method for network data, comprising:
The data that system is received from network by network adapter are stored in first buffering area of kernel of described system;
Address information by described data in described the first buffering area is stored in the second buffering area of described kernel; And
To the address information in described the second buffering area is provided in the application of user's state, so that the data in the first buffering area are for processing described in described application access.
2. method according to claim 1, wherein said the second buffering area comprises circle queue.
3. method according to claim 1, wherein said address information comprises the pointer that points to the data in described the first buffering area.
4. method according to claim 1, wherein provides described address information to provide address information in described the second buffering area to comprise by memory-mapped in the application of user's state to described application.
5. method according to claim 1, wherein said system is based on Linux, and wherein said the first buffering area intrinsic protocol family of being independent of described system is used for storing the buffering area of described data.
6. according to the method described in claim 1-5 any one, also comprise: analyze described data to detect potential network intrusions.
7. for the treatment of a device for network data, comprising:
Data storage cell, the data that are configured to system to receive from network by network adapter are stored in first buffering area of kernel of described system;
Address storaging unit, is configured to the address information in described the first buffering area by described data and is stored in the second buffering area of described kernel; And
Address mapping unit, is configured to the address information in described the second buffering area is provided in the application of user's state, so that the data in the first buffering area are for processing described in described application access.
8. device according to claim 7, wherein said the second buffering area comprises circle queue.
9. device according to claim 7, wherein said address information comprises the pointer that points to the data in described the first buffering area.
10. device according to claim 7, wherein said address mapping unit comprises memory-mapped unit, being configured to provides described address information by memory-mapped to described application.
11. devices according to claim 7, wherein said system is based on Linux, and wherein said the first buffering area intrinsic protocol family of being independent of described system is used for storing the buffering area of described data.
12. according to the device described in claim 7-11 any one, also comprises:
Intrusion detecting unit, is configured to analyze described data to detect potential network intrusions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210551542.9ACN103856474A (en) | 2012-11-29 | 2012-11-29 | Method and device for processing network data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210551542.9ACN103856474A (en) | 2012-11-29 | 2012-11-29 | Method and device for processing network data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103856474Atrue CN103856474A (en) | 2014-06-11 |
Family
ID=50863692
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210551542.9APendingCN103856474A (en) | 2012-11-29 | 2012-11-29 | Method and device for processing network data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103856474A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111124948A (en)* | 2019-12-04 | 2020-05-08 | 北京东土科技股份有限公司 | Network data packet capturing method, system and storage medium for embedded system |
| CN116610530A (en)* | 2023-07-12 | 2023-08-18 | 北京亿赛通科技发展有限责任公司 | Processing method and device of network data, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101135980A (en)* | 2006-08-29 | 2008-03-05 | 飞塔信息科技(北京)有限公司 | A device and method for realizing zero-copy based on Linux operating system |
| CN101764760A (en)* | 2010-03-24 | 2010-06-30 | 深圳市中科新业信息科技发展有限公司 | Multilink message capturing method, and method and system for processing multilink message |
- 2012
- 2012-11-29CNCN201210551542.9Apatent/CN103856474A/enactivePending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101135980A (en)* | 2006-08-29 | 2008-03-05 | 飞塔信息科技(北京)有限公司 | A device and method for realizing zero-copy based on Linux operating system |
| CN101764760A (en)* | 2010-03-24 | 2010-06-30 | 深圳市中科新业信息科技发展有限公司 | Multilink message capturing method, and method and system for processing multilink message |
Non-Patent Citations (1)
| Title |
|---|
| LUCA DERI、等: "Improving Passive Packet Capture: Beyond Device Polling", 《PROCEEDINGS OF SANE 2004》* |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111124948A (en)* | 2019-12-04 | 2020-05-08 | 北京东土科技股份有限公司 | Network data packet capturing method, system and storage medium for embedded system |
| CN116610530A (en)* | 2023-07-12 | 2023-08-18 | 北京亿赛通科技发展有限责任公司 | Processing method and device of network data, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8078850B2 (en) | Branch prediction technique using instruction for resetting result table pointer | |
| US10691476B2 (en) | Protection of sensitive data | |
| US7861065B2 (en) | Preferential dispatching of computer program instructions | |
| JP6526842B2 (en) | Malware detection | |
| CN107960126B (en) | Exploit detection based on analytic events | |
| US20180329860A1 (en) | Remote direct memory access (rdma) high performance producer-consumer message processing | |
| US20090125703A1 (en) | Context Switching on a Network On Chip | |
| US8417744B2 (en) | Techniques to manage a collection of objects in heterogeneous environments | |
| US11163659B2 (en) | Enhanced serial peripheral interface (eSPI) signaling for crash event notification | |
| WO2021061269A1 (en) | Storage control apparatus, processing apparatus, computer system, and storage control method | |
| CN110851136A (en) | Data acquisition method, device, electronic device and storage medium | |
| CN113886336A (en) | Flow detection method, device, equipment and medium | |
| JP2022550059A (en) | Processor and its internal interrupt controller | |
| EP2856304B1 (en) | Issuing instructions to execution pipelines based on register-associated preferences, and related instruction processing circuits, processor systems, methods, and computer-readable media | |
| US11489770B1 (en) | Traffic service threads for large pools of network addresses | |
| US11954510B2 (en) | Native-image in-memory cache for containerized ahead-of-time applications | |
| CN103856474A (en) | Method and device for processing network data | |
| CN114661762A (en) | Query method and device for embedded database, storage medium and equipment | |
| US20180006809A1 (en) | Data security in a cloud network | |
| CN111930651A (en) | Instruction execution method, device, equipment and readable storage medium | |
| CN106371873A (en) | Application starting request processing method and system and server | |
| EP4476885A1 (en) | Endpoint scan and profile generation | |
| CN116896587A (en) | Processing method and device for repeated network request, computer equipment and storage medium | |
| CN115297169B (en) | Data processing method, device, electronic equipment and medium | |
| CN111198900A (en) | Data caching method and device for industrial control network, terminal equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | Application publication date:20140611 |