CN106789147B - Flow analysis method and device - Google Patents

Flow analysis method and device Download PDF

Info

Publication number
CN106789147B
CN106789147B CN201610285409.1A CN201610285409A CN106789147B CN 106789147 B CN106789147 B CN 106789147B CN 201610285409 A CN201610285409 A CN 201610285409A CN 106789147 B CN106789147 B CN 106789147B
Authority
CN
China
Prior art keywords
message
storage node
virtual storage
address
destination address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610285409.1A
Other languages
Chinese (zh)
Other versions
CN106789147A (en
Inventor
王海
韩东亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201610285409.1A priority Critical patent/CN106789147B/en
Publication of CN106789147A publication Critical patent/CN106789147A/en
Application granted granted Critical
Publication of CN106789147B publication Critical patent/CN106789147B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a flow analysis method and a device, wherein the method is applied to a Software Defined Network (SDN) controller in a cluster, the SDN controller comprises at least one virtual storage node, and the method comprises the following steps: acquiring a first message of each flow, and storing the first message to a target virtual storage node; obtaining a first access time set; receiving a second access time set sent by at least one other SDN controller in the cluster; and counting the total number of the first messages with the same source address and destination address according to the first access times set and the second access times set, determining the times of accessing the equipment corresponding to the destination address by the equipment corresponding to each source address, and generating a flow analysis result. By applying the embodiment of the invention, the speed of flow analysis is improved, and further the user experience is improved.

Description

Flow analysis method and device
Technical Field
The present invention relates to the field of network technologies, and in particular, to a traffic analysis method and apparatus.
Background
In daily life and work, it is often necessary to analyze websites visited by a user. In a conventional data center, when analyzing a website accessed by a user, all traffic in a time period to be analyzed needs to be introduced into a traffic analyzing device, and each message of each traffic is analyzed, so that the purpose of analyzing the website accessed by the user is achieved. With the development of network technology, the scale of each network is larger and larger, and the traffic in the network is more and more, in this case, all the traffic of the data center is analyzed on one traffic analyzing device, so that the traffic analyzing speed is very slow, and the user experience is poor.
Disclosure of Invention
The embodiment of the invention discloses a flow analysis method and a flow analysis device, which are used for improving the speed of flow analysis and further improving user experience.
In order to achieve the above object, an embodiment of the present invention discloses a traffic analysis method applied to a Software Defined Network (SDN) controller in a cluster, where the SDN controller includes at least one virtual storage node, and the method includes:
a traffic analysis method applied to a software defined network, SDN, controller in a cluster, the SDN controller comprising at least one virtual storage node, the method comprising:
acquiring a first message of each flow, and storing the first message to a target virtual storage node;
acquiring a first access frequency set; the first set of access times comprises: the sum of the number of the first messages with the same source address and destination address calculated by each local virtual storage node;
receiving a second access time set sent by at least one other SDN controller in the cluster;
and counting the total number of the first messages with the same source address and destination address according to the first access frequency set and the second access frequency set, determining the frequency of accessing the equipment corresponding to the destination address by the equipment corresponding to each source address, and generating a flow analysis result.
Optionally, the target virtual storage node is: a virtual storage node in the SDN controller or a virtual storage node in another SDN controller in the cluster.
Optionally, the storing the first packet to the target virtual storage node includes:
and correspondingly storing the first message and the identifier of the SDN controller into a target virtual storage node.
Optionally, the obtaining the first access time set includes:
the virtual storage node acquires at least one first message from the locally stored first message according to a preset first message acquisition condition; analyzing the source address and the destination address of each first message, and calculating the number of the first messages with the same source address and destination address;
the SDN controller obtains the number of the first messages with the same source address and destination address, which are obtained by calculation of each local virtual storage node, and sums the number of the first messages obtained by calculation of each local virtual storage node to obtain a first access time set.
Optionally, the analyzing the source address and the destination address of each first packet and calculating the number of the first packets having the same source address and destination address includes:
storing the destination address carried in the first message containing the same source address in the same address file; merging the same destination addresses stored in each address file into one destination address, and counting merging times; and determining the number of the first messages with the same source address and destination address according to the counted merging times.
In order to achieve the above object, an embodiment of the present invention further discloses a traffic analysis device applied to a software defined network, SDN, controller in a cluster, where the SDN controller includes at least one virtual storage node, and the device includes:
the message storage module is used for obtaining a first message of each flow and storing the first message to a target virtual storage node;
the set obtaining module is used for obtaining a first access frequency set; the first set of access times comprises: the sum of the number of the first messages with the same source address and destination address calculated by each local virtual storage node;
a set receiving module, configured to receive a second access time set sent by at least one other SDN controller in the cluster;
and the result generation module is used for counting the total number of the first messages with the same source address and destination address according to the first access frequency set and the second access frequency set, determining the frequency of the equipment corresponding to the equipment access destination address corresponding to each source address, and generating a flow analysis result.
Optionally, the target virtual storage node is: a virtual storage node in the SDN controller or a virtual storage node in another SDN controller of the cluster.
Optionally, the message storage module is specifically configured to:
and acquiring a first message of each flow, and storing the first message and the identifier of the SDN controller into a target virtual storage node of the first message.
Optionally, the set obtaining module includes:
the number calculation submodule is arranged in the virtual storage node and used for acquiring at least one first message from the locally stored first message according to a preset first message acquisition condition; analyzing the source address and the destination address of each first message, and calculating the number of the first messages with the same source address and destination address;
and the set obtaining submodule is arranged in the SDN controller and used for obtaining the number of the first messages with the same source address and destination address, which are obtained by calculation of each local virtual storage node, and summing the number of the first messages obtained by calculation of each local virtual storage node to obtain a first access time set.
Optionally, the number calculating submodule includes:
the message acquisition unit is used for acquiring at least one first message from the locally stored first message according to a preset first message acquisition condition;
the number calculation unit is used for storing the destination addresses carried in the first messages containing the same source address in the same address file; merging the same destination addresses stored in each address file into one destination address, and counting merging times; and determining the number of the first messages with the same source address and destination address according to the counted merging times.
As can be seen from the above, in the embodiment of the present invention, the SDN controller stores each obtained first packet in the target virtual storage node, and obtains a first access time set, where the first access time set includes: the method comprises the steps that the sum of the number of first messages with the same source address and destination address calculated by each local virtual storage node is obtained, meanwhile, the SDN controller receives a second access frequency set sent by at least one other SDN controller in the same cluster, the total number of the first messages with the same source address and destination address is counted according to the first access frequency set and the second access frequency set, the number of times that equipment corresponding to each source address accesses equipment corresponding to the destination address is determined according to the total number, and then a flow analysis result is generated. Here, the SDN controllers are equivalent to a traffic analysis device, each SDN controller obtains an access time set, and then an SDN controller counts the total number of first messages with the same source address and destination address according to the access time sets obtained by each SDN controller, so that the data amount calculated by a single SDN controller is reduced, the traffic analysis speed is increased, and the user experience is further improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a flow analysis system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a traffic analysis method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a first message storage form according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a first MapReduce operation process according to an embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating a second MapReduce operation according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a flow analysis apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The present invention will be described in detail below with reference to specific examples.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a traffic analysis system applied to a cluster of a data center, where the cluster includes at least two SDN controllers 101, and each SDN controller 101 includes at least one virtual storage node 102;
the SDN controller 101 acquires a first message of each flow and stores the first message to a target virtual storage node; here, the first message carries a source address and a destination address;
the SDN controller 101 acquires a first access frequency set; here, the first access number set includes: the sum of the number of the first messages with the same source address and destination address calculated by each local virtual storage node 102;
the virtual storage node 102 is configured to calculate the number of the first messages with the same source address and destination address;
the SDN controller 101 further receives a second access number set sent by at least one other SDN controller 101 in the same cluster as the SDN controller 101;
here, the first and second access frequency sets include: the source address, the destination address and the sum of the number of the first messages with the same source address and destination address.
The SDN controller 101 counts the total number of first messages having the same source address and destination address according to the first access frequency set and the second access frequency set, determines the frequency of accessing the device corresponding to the destination address by the device corresponding to each source address, and generates a traffic analysis result.
In an implementation manner of the present invention, any one SDN controller 101 in the cluster may determine, through the above process, the number of times that each device corresponding to the source address accesses the device corresponding to the destination address, and generate a traffic analysis result.
In an implementation manner of the present invention, a DataNode (where the DataNode is equivalent to a virtual storage node) and an HDFS (Hadoop Distributed File System) client are deployed on the SDN controller 101, so that after receiving a first packet, the SDN controller 101 may store the first packet to a target virtual storage node through the HDFS client. In addition, the SDN controller 101 may also read a first packet of data stored in the virtual storage node through the HDFS client.
In addition, in an implementation manner of the present invention, a plurality of first messages containing the same source address do not necessarily have the same destination address. When the number of the first messages with the same source address and destination address is calculated, each local virtual storage node 102 stores the destination address carried in the first message with the same source address in the same address file, merges the same destination address stored in the address file into a destination address, and counts the merging times; and determining the number of the first message with the same source address and destination address according to the counted merging times.
Suppose that there are 4 first packets obtained by the virtual storage node N, which are: x1, X2, X3, and X4, where the source address and the destination address of the 4 first messages are: { X1: source address a1, destination address b2}, { X2: source address a1, destination address b1}, { X3: source address a2, destination address b2}, { X4: a source address a1 and a destination address b2}, when all of X1, X2 and X4 contain a source address a1, the virtual storage node N stores the destination address b2 of X1, the destination address b1 of X2 and the destination address b2 of X4 in an address file with a file name a1, and the destination address b2 of X3 in an address file with a file name a2, so that the address file with a file name a1 contains: b2, b1, b 2; the address file with the file name a2 includes: b2. the address file with the file name of a1 comprises two b2 and one b1, the two b2 are merged into one b2, the merging frequency of b2 in the address file with the file name of a1 is determined to be 1, the merging frequency of b1 is determined to be 0, the address file with the file name of a2 comprises one b2, the merging frequency of b2 in the address file with the file name of a2 is determined to be 0, and the merging frequency corresponding to each destination address is added with 1, so that the number of the first messages with the same source address and destination address is determined to be: the number of the first messages with the same a1 and b2 is 2, the number of the first messages with the same a1 and b1 is 1, and the number of the first messages with the same a2 and b2 is 1.
Specifically, referring to fig. 2, fig. 2 is a schematic flowchart of a traffic analysis method provided in an embodiment of the present invention, and the traffic analysis method is applied to an SDN controller, where the SDN controller includes at least one virtual storage node, and the method includes:
s201: acquiring a first message of each flow, and storing the acquired first message to a target virtual storage node;
in an implementation manner of the present invention, when each flow applies for a flow table, a first packet is sent to an SDN controller, where the first packet carries a source address and a destination address.
In addition, the target virtual storage node may be a virtual storage node in the SDN controller, or may be a virtual storage node in another SDN controller belonging to the same cluster as the SDN controller.
In an implementation manner of the present invention, after receiving a first packet, an SDN controller determines a target virtual storage node from virtual storage nodes corresponding to a cluster to which the SDN controller belongs, and in an embodiment of the present invention, determining a target virtual storage node may be: determining the virtual storage node with the least stored content as a target virtual storage node; determining a target virtual storage node may also be: and determining the virtual storage node which stores the received first message and is fastest as a target virtual storage node. The HDFS client on the SDN controller stores the received first message to a target virtual storage node according to a Hadoop storage rule, wherein the Hadoop storage rule is the prior art and is not described herein any more.
In an implementation manner of the present invention, storing the obtained first packet to the target virtual storage node may be: and correspondingly storing the obtained first message and the identifier of the SDN controller into a target virtual storage node. Therefore, when the first message stored in the virtual storage node needs to be read, the first message stored corresponding to the identifier of the SDN controller can be quickly obtained according to the identifier of the SDN controller.
In one implementation manner of the present invention, a message file is created in advance in a virtual storage node. At this time, the storing the obtained first packet and the identifier of the SDN controller into the target virtual storage node correspondingly may be: and correspondingly storing the obtained first message and the identifier of the SDN controller in the same message file according to time, such as: the first messages received by the SDN controllers in 4, 11 and 2015 are all stored in the same message file, so that the situation that one message file contains the content of the first messages from multiple SDN controllers and/or multiple dates is avoided, the excessive first messages are stored in the message file, a user cannot quickly obtain the needed first messages, the first messages received by the SDN controllers are stored in the same message file according to time, and the user can quickly obtain the needed first messages according to the identification and the time of the SDN controllers. In one embodiment, the naming method of the message file may be: identification of SDN controller + year, month, day + sequence number. Assume that there is a message file named a201504110001 currently, where a is the identifier of the SDN controller, 20150411 is the year, month and day, and 0001 is a serial number, and the stored contents are as shown in table 1.
TABLE 1
Time of sending first message Source address Destination address First message content
20151020101010000 10.1.1.10 20.1.1.10 ……
20151020101010005 10.1.1.10 20.1.1.10 ……
20151020101010005 10.1.1.10 10.3.1.10 ……
20151020101010006 10.1.1.11 10.1.2.10 ……
Each row in table 1 represents a first packet, where the sending time of the first packet includes: year, month, day, hour, minute, second, and millisecond, the first message content may include: the source address corresponds to the interface identification of the equipment, the destination address corresponds to the interface identification of the equipment, the network identification and other information. In one embodiment, the first message is stored in the message file in a text form, and in order to distinguish each first message, the first message is stored in the message file in a line form, that is, each line stores one first message, as shown in fig. 3 when the first message in table 1 is stored in a text form.
S202: obtaining a first access time set;
here, the first access number set includes: and the sum of the number of the first messages with the same source address and destination address calculated by each local virtual storage node.
In an implementation manner of the present invention, in order to further increase the calculation speed, when calculating the number of the first packet with the same source address and destination address, each virtual storage node calculates the number of the first packet with the same source address and destination address, and the SDN controller then counts the sum of the number of the first packet with the same source address and destination address calculated by each local virtual storage node. Here, each virtual storage node calculates the number of the first packets with the same source address and destination address, and the specific process may include:
s1, acquiring at least one first message from the first messages stored in the virtual storage node according to preset first message acquisition conditions;
in an implementation manner of the present invention, a time point T1 and a time period T2 may be preset in the SDN controller, and the preset first packet obtaining condition is: if the current time is the time point T1, the first message of the sending time in the time period T2 is obtained according to the sending time carried in the first message. For example, the time point T1 is 03:00 am, the time period T2 is 24 hours before the time point T1, that is, the time period T2 is from 03:00 am of the previous day to 03:00 am of the current day, and if the current time is 03:00 am of the time point, the first message stored by the virtual storage node whose transmission time is within the time period T2 is acquired.
Preferably, the time point t1 is 03:00, because generally, traffic forwarding services processed by the SDN controller at 03:00 are less, so that the traffic analysis speed of the SDN controller can be increased, and the processing of the traffic forwarding services by the SDN controller is not affected.
S2, analyzing the source address and the destination address of each first message, and calculating the number of the first messages with the same source address and destination address;
in one implementation manner of the present invention, step S2 may include:
s21, storing the destination address carried in the first message containing the same source address in the same address file;
suppose that the virtual storage node N1 obtains 4 first messages, and the source address and the destination address carried by each first message are shown in table 2.
TABLE 2
Figure BDA0000978801640000081
Figure BDA0000978801640000091
Analyzing the table 2 to obtain that the source addresses 10.1.1.10 of the 3 first messages of A, B, C are the same, and the virtual storage node N1 stores the destination address carried by A, B, C in an address file with the file name of 10.1.1.10, wherein the address file contains {20.1.1.10, 20.1.1.10, 10.3.1.10 }; in addition, the virtual storage node N1 stores the destination address carried by D in an address file with the address file name 10.1.1.11, where the address file contains {10.1.2.10 }.
S22, merging the same destination addresses stored in each address file into one destination address, and counting the merging times;
as assumed in S21, the address file with file name 10.1.1.10 stores destination addresses {20.1.1.10, 20.1.1.10, 10.3.1.10}, and the address file includes two address files 20.1.1.10, and 20.1.1.10 is merged, where the merging count for 20.1.1.10 is 1 and the merging count for 10.3.1.10 is 0. In addition, the address file with the file name of 10.1.1.11 stores only the destination address {10.1.2.10}, and the merging count for 10.1.2.10 is 0.
And S23, determining the number of the first message with the same source address and destination address according to the counted merging times.
The number of the first packet having the same source address and destination address, which can be determined by adding 1 to the number of times of merging obtained in S22, is shown in table 3.
TABLE 3
Figure BDA0000978801640000092
The method comprises the steps that after the number of first messages with the same source address and destination address is determined, the virtual storage nodes send the source address, the destination address and the determined number of the first messages to an SDN controller, and the SDN controller sums the number of the first messages determined by each local virtual storage node to obtain a first access time set.
Assuming that the SDN controller includes, in addition to the virtual storage node N1 in S21, one virtual storage node N2, the virtual storage node N2 determines that the number of the first packet having the same source address 10.1.1.10 and destination address 20.1.1.10 is 1, and by combining the number of the first packet obtained in table 3, it can be finally determined that: the number of the first messages of the source address 10.1.1.10 and the destination address 20.1.1.10 is 3, the number of the first messages of the source address 10.1.1.10 and the destination address 10.3.1.10 is 1, and the number of the first messages of the source address 10.1.1.11 and the destination address 10.1.2.10 is 1; and obtaining a first access frequency set according to the finally determined number of the first messages.
In an embodiment of the present invention, the virtual storage node may determine, by using a MapReduce algorithm, the number of the first packets having the same source address and destination address.
Specifically, when the number of the first packet with the same source address and destination address is determined by using a MapReduce algorithm, two MapReduce operations need to be performed:
the first MapReduce operation:
and taking each obtained first message as a first input value of the Map in a key/value pair mode, wherein the key is an offset of an initial storage position of the first message in the virtual storage node (for example, the first message is stored in a message file, and the key can be the offset of the initial storage position of the first message in the message file), and the value is the first message. After Map processes the first input value, the source address and the destination address in the first message are obtained, the obtained source address and destination address are sent to Reduce, Reduce combines the items with the same source address, and the destination address in the items with the same source address is stored in the appointed address file.
And (3) carrying out a second MapReduce operation:
and taking the destination address in the address file obtained by the first MapReduce operation as a second input value of the Map in a key/value pair mode, wherein the key is the offset of the initial storage position of the destination address in the address file, and the value is the destination address. After Map processes the second input value, the key in each key/value pair becomes the destination address, the value becomes 1, after Shuffie deformation, the key/value pairs with the same key are merged, and the merged key/value pairs are sent to Reduce, which traverses each key and sums up the values corresponding to each key. At this time, the number of the first message with the same source address and destination address is determined according to the source address corresponding to the address file, the destination address in the statistical sum back key and the numerical value in the statistical sum back value.
Assuming that when the virtual storage node calculates the number of the first packets having the same source address and destination address, the obtained first packet is 4 first packets as shown in fig. 3, and a process of performing a first MapReduce operation is shown in fig. 4, specifically, a first input value, such as (0, 20151020101010000010001001010020001001010 … …), is determined, where "0" in a key is an offset of an initial storage location of the corresponding first packet in a packet file, and "20151020101010000010001001010020001001010 … …" in the value is the first packet; sending the first input value to a Map, and obtaining a source address and a destination address of each first-sent message from the first input value by the Map, such as '010001001001010' and '020001010', wherein 010001001010 is the source address and 020001001010 is the destination address; sending the obtained source address and destination address to Reduce, combining the same items of the source address by Reduce to obtain 2 address files, which are respectively: the file name is 10.1.1.10, the file name is 10.1.1.11, the file name is 10.1.1.10, the address file comprises destination addresses {020001001010, 020001001010, 010003001010}, and the file name is 10.1.1.11, and the address file comprises destination addresses {010001002010 };
performing a second MapReduce operation on the two address files, wherein the process is as shown in fig. 5, and specifically, determining a second input value, such as (0, 020001001010), where "0" in the key is an offset of a starting storage location of a destination address corresponding to the key/value in the message file, and "020001001010" in the value is the destination address; sending the second input value to Map, and Map transforming the key value pairs from the second input value, changing the key in each key/value pair into the destination address and changing the value into 1, if (0, 020001001010) is transformed into (020001001010, 1), after Shuffie transformation, combining the key/value pairs with the same key, if the transformed key with two key/value pairs is "020001001010", after Shuffie transformation, it can be transformed into (020001001010, [1, 1 ]); the morphed key/value pair is sent to Reduce, Reduce traverses each key, and the values corresponding to each key are summed, e.g., the value of the (020001001010, [1, 1]) key-value pair is summed, resulting in (020001001010, 2).
At this time, the number of the first message with the same source address and destination address is determined by combining the address file name, the destination address in the statistical addition back key and the numerical value in the statistical addition back value: the number of the first packet containing the source address 10.1.1.10 and the destination address 20.1.1.10 is 2, the number of the first packet containing the source address 10.1.1.10 and the destination address 10.3.1.10 is determined to be 1, and the number of the first packet containing the source address 10.1.1.11 and the destination address 10.1.2.10 is determined to be 1.
S203: receiving a second access time set sent by at least one other SDN controller in the cluster;
here, the SDN controller may receive the second access time sets sent by all other SDN controllers in the cluster in which the SDN controller is located, and may also receive the second access time sets sent by any one or more SDN controllers.
It should be noted that the method for obtaining the second access times set is the same as the method for obtaining the first access times set, and the first and second access times sets include: the source address, the destination address, and the number of the first messages with the same source address and destination address.
S204: and counting the total number of the first messages with the same source address and destination address according to the first access times set and the second access times set, determining the times of accessing the equipment corresponding to the destination address by the equipment corresponding to each source address, and generating a flow analysis result.
Here, the flow rate analysis result includes: source address, destination address, and number of destinations accessed by the source. Here, the destination address may be an address of a website accessed by the user, and the user can obtain the number of times that the device corresponding to each source address accesses the same website according to the correspondence between the source address, the destination address, and the number of times that the source accesses the destination, which are included in the traffic analysis result.
Assuming that the total number of the first messages with the same source address 10.1.1.10 and destination address 20.1.1.10 obtained by statistics is 4, it is determined that the number of times that the device corresponding to the source address of the address 10.1.1.10 accesses the website of the address 20.1.1.10 is 4.
In an implementation manner of the present invention, the address included in the traffic analysis result is an IP address, and if the IP address is displayed to the user, the user cannot intuitively know which websites the device corresponding to the source address accesses, so after generating the traffic analysis result, the method may further include:
and sending the flow analysis result to a DNS (domain name server), wherein the DNS resolves the source address and the destination address contained in the flow analysis result into domain names, and displays the domain names obtained by resolving to a user, so that the user can intuitively know which websites are accessed by the equipment corresponding to which source addresses according to the domain names.
In addition, if the user needs to know what the device corresponding to the source address does in a certain visited website, the SDN controller may obtain, through the HDFS client, a first packet corresponding to the source address and the destination address stored in the virtual storage node, and further obtain information required by the user from the obtained first packet.
By applying the embodiment shown in fig. 1, the SDN controller stores each obtained first packet in a target virtual storage node to obtain a first access time set, where the first access time set includes: the method comprises the steps that the sum of the number of first messages with the same source address and destination address calculated by each local virtual storage node is obtained, meanwhile, the SDN controller receives a second access frequency set sent by at least one other SDN controller in the same cluster, the total number of the first messages with the same source address and destination address is counted according to the first access frequency set and the second access frequency set, the number of times that equipment corresponding to each source address accesses equipment corresponding to the destination address is determined according to the total number, and then a flow analysis result is generated. Here, the SDN controllers are equivalent to a traffic analysis device, each SDN controller obtains an access time set, and then an SDN controller counts the total number of first messages with the same source address and destination address according to the access time sets obtained by each SDN controller, so that the data amount calculated by a single SDN controller is reduced, the traffic analysis speed is increased, and the user experience is further improved.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a traffic analysis apparatus according to an embodiment of the present invention, where the traffic analysis apparatus is applied to a software defined network SDN controller in a cluster, where the SDN controller includes at least one virtual storage node, and the apparatus includes:
a message storage unit 601, configured to obtain a first message of each flow, and store each obtained first message to a corresponding target virtual storage node; here, the first message carries a source address and a destination address;
a set obtaining unit 602, configured to obtain a first access time set; the first set of access times comprises: the sum of the number of the first messages with the same source address and destination address calculated by each local virtual storage node;
a set receiving unit 603, configured to receive a second access time set sent by at least one other SDN controller in the cluster;
a result generating unit 604, configured to count the total number of the first packets having the same source address and destination address according to the first access frequency set and the second access frequency set, determine the frequency of accessing the device corresponding to the destination address by the device corresponding to each source address, and generate a traffic analysis result.
In one implementation manner of the present invention, the target virtual storage node is: a virtual storage node in the SDN controller or a virtual storage node in other SDN controllers of the cluster.
In an implementation manner of the present invention, the message storage unit 601 is specifically configured to:
and acquiring a first message of each flow, and correspondingly storing the first message and the identifier of the SDN controller into a target virtual storage node.
In an implementation manner of the present invention, the set obtaining module 602 may include:
the number calculation submodule is arranged in the virtual storage node and used for acquiring at least one first message from the locally stored first message according to a preset first message acquisition condition; analyzing the source address and the destination address of each first message, and calculating the number of the first messages with the same source address and destination address;
the set obtaining submodule is arranged in the SDN controller, and is configured to obtain the number of first packets with the same source address and destination address, which are obtained by calculation of each local virtual storage node, and add the number of the first packets obtained by calculation of each local virtual storage node, so as to obtain a first access time set (not shown in fig. 6).
In an implementation manner of the present invention, the number calculating submodule may include:
the message acquisition unit is used for acquiring at least one first message from the locally stored first message according to a preset first message acquisition condition;
the number calculation unit is used for storing the destination addresses carried in the first messages containing the same source address in the same address file; merging the same destination addresses stored in each address file into one destination address, and counting merging times; and determining the number of the first messages with the same source address and destination address according to the counted merging times.
Applying the embodiment shown in fig. 6, the SDN controller stores each obtained first packet in a target virtual storage node to obtain a first access time set, where the first access time set includes: the method comprises the steps that the sum of the number of first messages with the same source address and destination address calculated by each local virtual storage node is obtained, meanwhile, the SDN controller receives a second access frequency set sent by at least one other SDN controller in the same cluster, the total number of the first messages with the same source address and destination address is counted according to the first access frequency set and the second access frequency set, the number of times that equipment corresponding to each source address accesses equipment corresponding to the destination address is determined according to the total number, and then a flow analysis result is generated. Here, the SDN controllers are equivalent to a traffic analysis device, each SDN controller obtains an access time set, and then an SDN controller counts the total number of first messages with the same source address and destination address according to the access time sets obtained by each SDN controller, so that the data amount calculated by a single SDN controller is reduced, the traffic analysis speed is increased, and the user experience is further improved.
For the system and apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Those skilled in the art will appreciate that all or part of the steps in the above method embodiments may be implemented by a program to instruct relevant hardware to perform the steps, and the program may be stored in a computer-readable storage medium, which is referred to herein as a storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A traffic analysis method applied to a Software Defined Network (SDN) controller in a cluster, wherein the SDN controller comprises at least one virtual storage node, the method comprising:
acquiring a first message of each flow, and storing the first message to a target virtual storage node;
acquiring a first access frequency set; the first set of access times comprises: the sum of the number of first messages with the same source address and destination address calculated by each virtual storage node in the SDN controller;
receiving a second access time set sent by at least one other SDN controller in the cluster;
and counting the total number of the first messages with the same source address and destination address according to the first access frequency set and the second access frequency set, determining the frequency of accessing the equipment corresponding to the destination address by the equipment corresponding to each source address, and generating a flow analysis result.
2. The method of claim 1, wherein the target virtual storage node is: a virtual storage node in the SDN controller or a virtual storage node in another SDN controller in the cluster.
3. The method of claim 1, wherein storing the first packet to a target virtual storage node comprises:
and correspondingly storing the first message and the identifier of the SDN controller into a target virtual storage node.
4. The method of claim 1, wherein obtaining the first set of access times comprises:
the virtual storage node acquires at least one first message from the locally stored first message according to a preset first message acquisition condition; analyzing the source address and the destination address of each first message, and calculating the number of the first messages with the same source address and destination address;
the SDN controller obtains the number of the first messages with the same source address and destination address, which are obtained by calculation of each local virtual storage node, and sums the number of the first messages obtained by calculation of each local virtual storage node to obtain a first access time set.
5. The method of claim 4, wherein analyzing the source address and the destination address of each first packet and calculating the number of first packets having the same source address and destination address comprises:
storing the destination address carried in the first message containing the same source address in the same address file; merging the same destination addresses stored in each address file into one destination address, and counting merging times; and determining the number of the first messages with the same source address and destination address according to the counted merging times.
6. A traffic analysis apparatus applied to a software defined network, SDN, controller in a cluster, wherein the SDN controller comprises at least one virtual storage node, the apparatus comprising:
the message storage module is used for obtaining a first message of each flow and storing the first message to a target virtual storage node;
the set obtaining module is used for obtaining a first access frequency set; the first set of access times comprises: the sum of the number of first messages with the same source address and destination address calculated by each virtual storage node in the SDN controller;
a set receiving module, configured to receive a second access time set sent by at least one other SDN controller in the cluster;
and the result generation module is used for counting the total number of the first messages with the same source address and destination address according to the first access frequency set and the second access frequency set, determining the frequency of the equipment corresponding to the equipment access destination address corresponding to each source address, and generating a flow analysis result.
7. The apparatus of claim 6, wherein the target virtual storage node is: a virtual storage node in the SDN controller or a virtual storage node in another SDN controller of the cluster.
8. The apparatus according to claim 6, wherein the message storage module is specifically configured to:
and acquiring a first message of each flow, and correspondingly storing the first message and the identifier of the SDN controller into a target virtual storage node of the first message.
9. The apparatus of claim 6, wherein the set obtaining module comprises:
the number calculation submodule is arranged in the virtual storage node and used for acquiring at least one first message from the locally stored first message according to a preset first message acquisition condition; analyzing the source address and the destination address of each first message, and calculating the number of the first messages with the same source address and destination address;
and the set obtaining submodule is arranged in the SDN controller and used for obtaining the number of the first messages with the same source address and destination address, which are obtained by calculation of each local virtual storage node, and summing the number of the first messages obtained by calculation of each local virtual storage node to obtain a first access time set.
10. The apparatus of claim 9, wherein the number calculation submodule comprises:
the message acquisition unit is used for acquiring at least one first message from the locally stored first message according to a preset first message acquisition condition;
the number calculation unit is used for storing the destination addresses carried in the first messages containing the same source address in the same address file; merging the same destination addresses stored in each address file into one destination address, and counting merging times; and determining the number of the first messages with the same source address and destination address according to the counted merging times.
CN201610285409.1A 2016-04-29 2016-04-29 Flow analysis method and device Active CN106789147B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610285409.1A CN106789147B (en) 2016-04-29 2016-04-29 Flow analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610285409.1A CN106789147B (en) 2016-04-29 2016-04-29 Flow analysis method and device

Publications (2)

Publication Number Publication Date
CN106789147A CN106789147A (en) 2017-05-31
CN106789147B true CN106789147B (en) 2020-09-25

Family

ID=58972195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610285409.1A Active CN106789147B (en) 2016-04-29 2016-04-29 Flow analysis method and device

Country Status (1)

Country Link
CN (1) CN106789147B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462580B (en) * 2018-10-24 2021-03-30 全球能源互联网研究院有限公司 Training flow detection model, method and device for detecting abnormal business flow
CN109450798B (en) * 2018-12-13 2022-07-12 郑州云海信息技术有限公司 Method for managing routing table information and computer-readable storage medium
CN112800142B (en) * 2020-12-15 2023-08-08 赛尔网络有限公司 MR job processing method, device, electronic equipment and storage medium
CN113259187B (en) * 2021-07-12 2021-10-26 深圳市永达电子信息股份有限公司 SDN-based traffic stack analysis method, system and computer-readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101335709B (en) * 2008-08-07 2010-09-22 杭州华三通信技术有限公司 Method for implementing load sharing among flow analysis servers and shunting equipment
CN101741633B (en) * 2008-11-06 2011-12-28 北京启明星辰信息技术股份有限公司 Association analysis method and system for massive logs
CN101808017B (en) * 2010-03-26 2012-04-18 中国科学院计算技术研究所 Method and system for quantificationally calculating network abnormity index
US20160050132A1 (en) * 2014-08-18 2016-02-18 Telefonaktiebolaget L M Ericsson (Publ) Method and system to dynamically collect statistics of traffic flows in a software-defined networking (sdn) system

Also Published As

Publication number Publication date
CN106789147A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN107404408B (en) Virtual identity association identification method and device
RU2612583C2 (en) Marketplace for timely event data distribution
CN106789147B (en) Flow analysis method and device
US8595322B2 (en) Target subscription for a notification distribution system
US20130067015A1 (en) Counting and reseting broadcast system badge counters
CN111459986B (en) Data computing system and method
CN108282508B (en) Geographic position determining method and device and information pushing method and device
WO2013106595A2 (en) Processing store visiting data
JP6756744B2 (en) Location information provision method and equipment
US20130060864A1 (en) Method and an apparatus for distribution of a message
CN110555172A (en) user relationship mining method and device, electronic equipment and storage medium
US20140081909A1 (en) Linking social media posts to a customers account
CN109688205A (en) The hold-up interception method and device of web page resources
CN106952085B (en) Method and device for data storage and service processing
CN113268550A (en) Method and system for scheduling autonomous domain system, electronic device and storage medium
EP3407572A1 (en) Detection of aberrant domain registration and resolution patterns
CN108322495A (en) Processing method, the device and system of resource access request
WO2013119456A1 (en) Retrieving availability information from published calendars
CN113761565B (en) Data desensitization method and device
US10320731B2 (en) System and method for threading electronic messages
CN108985805B (en) Method and device for selectively executing push task
CN104166659A (en) Method and system for map data duplication judgment
CN111078773B (en) Data processing method and device
US8601578B1 (en) Identifying potentially suspicious business listings for moderation
CN113672776B (en) Fault analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant