CN114006956B - Message data analysis method, device and equipment - Google Patents
Message data analysis method, device and equipment Download PDFInfo
- Publication number
- CN114006956B CN114006956B CN202111273061.1A CN202111273061A CN114006956B CN 114006956 B CN114006956 B CN 114006956B CN 202111273061 A CN202111273061 A CN 202111273061A CN 114006956 B CN114006956 B CN 114006956B
- Authority
- CN
- China
- Prior art keywords
- offset
- data
- message data
- query address
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
本公开涉及一种报文数据解析方法、装置、设备、电子设备及计算机可读介质。该方法包括:识别报文数据的首层协议类型;基于所述首层协议类型确定首层偏移量查询地址和下层协议查询地址;基于所述首层偏移量查询地址和下层协议查询地址提取所述报文数据的关键字段数据;在所述关键字段数据满足预设策略时,基于所述预设策略对所述报文数据进行解析生成解析结果。本公开涉及的报文数据解析方法、装置、设备、电子设备及计算机可读介质,能够实时更新偏移量数据查询表以及协议类型数据查询表,从而实现报文解析种类的动态配置,无需修改代码重新烧写程序,加快产品更新迭代速度。
The present disclosure relates to a message data parsing method, device, equipment, electronic device and computer-readable medium. The method includes: identifying the first-layer protocol type of the message data; determining the first-layer offset query address and the lower-layer protocol query address based on the first-layer protocol type; extracting the key field data of the message data based on the first-layer offset query address and the lower-layer protocol query address; when the key field data meets the preset strategy, parsing the message data based on the preset strategy to generate a parsing result. The message data parsing method, device, equipment, electronic device and computer-readable medium involved in the present disclosure can update the offset data query table and the protocol type data query table in real time, thereby realizing dynamic configuration of the message parsing type, without modifying the code and re-burning the program, and accelerating the product update and iteration speed.
Description
Technical Field
The disclosure relates to the field of computer information processing, and in particular relates to a method, a device, equipment, electronic equipment and a computer readable medium for analyzing message data.
Background
A message is a data unit exchanged and transmitted in the network, i.e. a data block to be sent by a station at one time. These data blocks start with meta-information in the form of text describing the content and meaning of the message, followed by optional data parts. The message contains the complete data information to be sent, and the length of the message is not consistent, and the length of the message is unlimited and variable. The message is organized based on a protocol defined by file transmission, and the message is analyzed by analyzing the file data in a specific format into a desired result so as to be convenient to process.
The FPGA is applied in a large amount in the network communication equipment with low delay and parallel processing capacity, and with the development of network communication technology, new services such as the 5G mobile Internet, a big data center, automatic driving and the like are appeared, and the network communication equipment is required to update and iterate products according to the requirements of the new services, so that a new message analysis scheme derived from the characteristics of the FPGA can be flexibly utilized.
The traditional parsing method has the advantages that all types of messages which can be parsed are determined, logic codes are written according to the types which need to be parsed, the codes are required to be modified and FPGA programs are required to be rewritten every time a new type of message is updated, then related functions are tested, the updating iteration speed of network communication equipment using the parsing method is low, and the network communication equipment is difficult to adapt to the increasing business demands.
Therefore, a new method, apparatus, device, electronic device, and computer readable medium for parsing message data are needed.
The above information disclosed in the background section is only for enhancement of understanding of the background of the disclosure and therefore it may include information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the disclosure provides a method, an apparatus, a device, an electronic device, and a computer readable medium for analyzing message data, which can update an offset memory data lookup table and a protocol type memory data lookup table in real time, thereby realizing dynamic configuration of message analysis types, without modifying codes to re-write FPGA programs, and accelerating product update iteration speed.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the disclosure, a message data analysis method is provided, and the method comprises the steps of identifying a first layer protocol type of message data, determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type, extracting key field data of the message data based on the first layer offset query address and the lower layer protocol query address, and analyzing the message data based on a preset strategy to generate an analysis result when the key field data meets the preset strategy.
In an exemplary embodiment of the disclosure, the method further includes determining a lower protocol type based on the key field data when the key field data does not meet a preset policy, determining a lower offset query address and a last protocol query address based on the lower protocol type, and resolving the message data based on the lower offset query address and the last protocol query address to generate a resolved result.
In one exemplary embodiment of the present disclosure, the method further comprises storing a plurality of offset query addresses based on the offset memory and storing a plurality of protocol query addresses based on the protocol type querier.
In one exemplary embodiment of the present disclosure, real-time modification of the plurality of offset query addresses and the plurality of protocol query addresses according to a data modification instruction is included.
In one exemplary embodiment of the present disclosure, determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type includes determining the first layer offset query address based on data length information of the first layer protocol type and determining the lower layer protocol query address based on data length information of the first layer protocol type.
In one exemplary embodiment of the disclosure, extracting key field data of the message data based on the first layer offset query address and a lower layer protocol query address includes determining offset data based on the first layer offset query address, determining a protocol type based on the lower layer protocol query address, and parsing the message data based on the offset data and the protocol type to extract the key field data.
In an exemplary embodiment of the disclosure, parsing the message data based on the offset data and the protocol type to extract the key field data includes offsetting the message data based on the offset data and parsing the offset message data according to the protocol type to extract the key field data.
In an exemplary embodiment of the disclosure, when the key field data meets a preset policy, analyzing the message data based on the preset policy to generate an analysis result includes analyzing the message data according to a TCP protocol to generate an analysis result when the key field data is the TCP protocol.
According to one aspect of the disclosure, a message data analysis device is provided, which comprises an identification module for identifying a first layer protocol type of message data, an address module for determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type, a data module for extracting key field data of the message data based on the first layer offset query address and the lower layer protocol query address, and an analysis module for analyzing the message data based on a preset strategy to generate an analysis result when the key field data meets the preset strategy.
In one exemplary embodiment of the present disclosure, an instruction module is included for modifying the plurality of offset query addresses and the plurality of protocol query addresses in real time according to a data modification instruction.
According to one aspect of the disclosure, a message data analysis device is provided, and the device comprises a message data analysis device used for identifying a first layer protocol type of message data, a first layer offset query address and a lower layer protocol query address which are determined based on the first layer protocol type, key field data of the message data are extracted based on the first layer offset query address and the lower layer protocol query address, when the key field data meet a preset strategy, the message data are analyzed based on the preset strategy to generate an analysis result, an offset memory is used for storing a plurality of offset query addresses so that the message data analysis device can inquire, and a protocol type memory is used for storing a plurality of protocol query addresses so that the message data analysis device can inquire.
According to an aspect of the disclosure, an electronic device is presented, comprising one or more processors, storage means for storing one or more programs, which when executed by the one or more processors, cause the one or more processors to implement a method as described above.
According to an aspect of the present disclosure, a computer-readable medium is presented, on which a computer program is stored, which program, when being executed by a processor, implements a method as described above.
According to the method, the device, the electronic equipment and the computer readable medium for analyzing the message data, the first layer protocol type of the message data is identified, the first layer offset query address and the lower layer protocol query address are determined based on the first layer protocol type, key field data of the message data are extracted based on the first layer offset query address and the lower layer protocol query address, when the key field data meet a preset strategy, the message data are analyzed based on the preset strategy to generate an analysis result, and the offset memory data query table and the protocol type memory data query table can be updated in real time, so that dynamic configuration of the message analysis type is realized, a code is not required to be modified to rewrite an FPGA program, and the product updating iteration speed is accelerated.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely examples of the present disclosure and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a schematic diagram of a message parsing method according to the prior art.
Fig. 2 is a flow chart illustrating a method of message data parsing according to an exemplary embodiment.
Fig. 3 is a flow chart illustrating a method of message data parsing according to another exemplary embodiment.
Fig. 4 is a schematic diagram illustrating a message data parsing method according to another exemplary embodiment.
Fig. 5 is a schematic diagram illustrating a message data parsing method according to another exemplary embodiment.
Fig. 6 is a schematic diagram illustrating a message data parsing method according to another exemplary embodiment.
Fig. 7 is a block diagram illustrating a message data parsing apparatus according to an exemplary embodiment.
Fig. 8 is a block diagram of a message data parsing apparatus according to another exemplary embodiment.
Fig. 9 is a block diagram of an electronic device, according to an example embodiment.
Fig. 10 is a block diagram of a computer-readable medium shown according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, but rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, apparatus, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another element. Accordingly, a first component discussed below could be termed a second component without departing from the teachings of the concepts of the present disclosure. As used herein, the term "and/or" includes any one of the associated listed items and all combinations of one or more.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments and that the modules or flows in the drawings are not necessarily required to practice the present disclosure, and therefore, should not be taken to limit the scope of the present disclosure.
The technical abbreviations are explained as follows:
and the FPGA is Field Programmable GATE ARRAY a field programmable gate array.
IPv4: internet Protocol version 4 fourth edition of the internet protocol.
IHL INTERNET HEADER LENGTH IP header length, IPv4 header length information data.
The TCP Transmission Control Protocol transport control protocol is a connection-oriented, reliable, byte stream based transport layer communication protocol.
Fig. 1 is a schematic diagram of a message parsing method according to the prior art. As shown in fig. 1, the invention of the disclosure finds that the conventional message parsing method firstly recognizes that the protocol layer is Ethernet according to the received data of the protocol layer 1, then obtains the next layer protocol as IPv4 according to the type information of the Ethernet layer, and determines the offset 1 of the protocol layer 1, thereby extracting the data of the IPv4 layer, and then obtains the next layer protocol as TCP according to the data of the IPv4 layer, and determines the offset 2 of the protocol layer 2, thereby completing the parsing of all the protocol layers layer by layer.
The traditional parsing method has the advantages that all types of messages which can be parsed are determined, logic codes are written according to the types which need to be parsed, the codes are required to be modified and FPGA programs are required to be rewritten every time a new type of message is updated, then related functions are tested, the updating iteration speed of network communication equipment using the parsing method is low, and the network communication equipment is difficult to adapt to the increasing business demands.
In view of the technical bottleneck in the prior art, in the method, the device and the equipment for analyzing the message data, the memory is used for respectively storing the header offset and the protocol type which need to be inquired in the process of analyzing the message, and the memory is connected through the communication bus of the external processor, so that the offset and the lower protocol type which are modified in real time are used for realizing the method for analyzing the message by dynamic configuration, and a code re-programming program is not required to be modified.
The present disclosure is described in detail below with the aid of specific examples.
Fig. 2 is a flow chart illustrating a method of message data parsing according to an exemplary embodiment. The message data parsing method 20 at least includes steps S202 to S208.
As shown in fig. 2, in S202, a first layer protocol type of the message data is identified. The first layer protocol type identified by the message data can be any type of data protocol in the prior art.
In S204, a first layer offset query address and a lower layer protocol query address are determined based on the first layer protocol type. The first layer offset query address may be determined based on data length information of the first layer protocol type, and the lower layer protocol query address may be determined based on data length information of the first layer protocol type.
In S206, the key field data of the message data is extracted based on the first layer offset query address and the lower layer protocol query address. Determining offset data based on the first layer offset query address, determining a protocol type based on the lower layer protocol query address, and analyzing the message data based on the offset data and the protocol type to extract the key field data.
In one embodiment, the method further comprises storing a plurality of offset query addresses based on the offset memory and storing a plurality of protocol query addresses based on the protocol type querier.
More specifically, the offset memory stores a plurality of corresponding relations between offset query addresses and offsets through an offset query table, and queries offset data in the offset query table according to the first-layer offset query address.
More specifically, the protocol type inquirer stores a plurality of corresponding relations between the protocol inquiry addresses and the protocol types through the protocol inquiry address table. And inquiring the protocol type in a protocol inquiry address table according to the lower protocol inquiry address.
In one embodiment, the method further comprises modifying the plurality of offset query addresses and the plurality of protocol query addresses in real time according to a data modification instruction. The protocol inquiry address table and the offset inquiry table can reserve a space, can be modified in real time, and can modify the corresponding relation between the offset inquiry address and the offset and the corresponding relation between the protocol inquiry address and the protocol type in real time according to the data modification instruction.
The method comprises the steps of analyzing the message data based on the offset data and the protocol type to extract the key field data, and analyzing the offset message data according to the protocol type to extract the key field data.
In S208, when the key field data meets a preset policy, the message data is parsed based on the preset policy to generate a parsing result. And when the key field data is a TCP protocol, analyzing the message data according to the TCP protocol to generate an analysis result.
In one embodiment, the method further comprises the steps of determining a lower protocol type based on the key field data when the key field data does not meet a preset strategy, determining a lower offset query address and a last protocol query address based on the lower protocol type, extracting the key field data of the message data based on the lower offset query address and the last protocol query address, and analyzing the message data to generate an analysis result when the key field data is a TCP protocol. And when the key field data is not the TCP protocol, extracting the lower protocol address again to extract the key field data and analyzing.
According to the message data analysis method, the first layer protocol type of the message data is identified, the first layer offset query address and the lower layer protocol query address are determined based on the first layer protocol type, key field data of the message data are extracted based on the first layer offset query address and the lower layer protocol query address, when the key field data meet a preset strategy, the message data are analyzed based on the preset strategy to generate an analysis result, an offset memory data query table and a protocol type memory data query table can be updated in real time, dynamic configuration of the message analysis type is achieved, a code is not required to be modified to rewrite an FPGA program, and the product updating iteration speed is accelerated.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a flow chart illustrating a method of message data parsing according to another exemplary embodiment. The flow 30 shown in fig. 3 is a detailed description of the flow shown in fig. 2.
As shown in fig. 3, in S302, message data is received.
In S304, a first layer protocol type is identified.
In S306, an offset query address is determined.
In S308, the lower protocol query address is determined.
In S310, key field data is extracted.
In S312, whether the analysis result is a preset analysis result.
In S314, the analysis result is output.
In S316, the lower layer data is parsed.
After receiving new message data, identifying the first layer protocol type, calculating the offset inquiry address of the layer according to the length information of the first layer protocol data and outputting the offset inquiry address to an offset memory, wherein the offset memory outputs the offset corresponding to the inquiry address, then calculating the lower layer protocol inquiry address according to the lower layer protocol data information and outputting the lower layer protocol inquiry address to a protocol type memory, the protocol type memory outputs the protocol type corresponding to the inquiry address, extracts key field data according to the current protocol type, judges whether analysis is finished according to the received lower layer protocol type, outputs the current analysis result if analysis is finished, receives new packet data, and jumps to the lower layer protocol according to the received offset to continue analysis if not finished.
Fig. 4 is a schematic diagram illustrating a message data parsing method according to another exemplary embodiment. In a specific embodiment, as shown in fig. 5, the first layer protocol is identified as Ethernet, an offset query address 1 is generated and output to the offset query memory, and a return value is fixed 14, as shown in fig. 6, the protocol query address 1 is obtained according to the type information of the Ethernet layer, and output to the protocol type query memory, and the return value is 2 (IPv 4 protocol).
The data of the IPv4 layer can be continuously analyzed after the message data is shifted by 14 bytes. And calculating an offset query address 2 according to the IHL information of the IPv4 layer, outputting the offset query address 2 to an offset query memory, obtaining a Protocol query address 2 according to the Protocol information of the IPv4 layer, outputting the Protocol query address 2 to a Protocol type query memory, and outputting a return value of 4 (TCP Protocol).
The data of the TCP layer can be continuously analyzed after the message data is shifted by 20 bytes. And generating end analysis mark information when the current protocol layer is identified as TCP, and outputting an analysis result, and receiving new packet data by the message analysis device.
And in the analysis process, selecting and extracting key data of each layer according to actual project requirements.
More specifically, according to the method for analyzing message data disclosed by the disclosure, default data is preset according to the type of the message to be analyzed by the offset memory data lookup table and the protocol type memory data lookup table, and the type of the message to be analyzed can be updated in real time by a processor (CPU and the like), so that the type of the message to be analyzed is increased, and the FPGA program is not required to be rewritten, thereby realizing a dynamic configuration function.
According to the message data analysis method, the data lookup table of the offset memory and the data lookup table of the protocol type memory can be updated in real time through the external processor, so that dynamic configuration of message analysis types is realized. And using an offset memory and a protocol type memory to realize query allocation of offset and protocol types in the process of analyzing the message.
Those skilled in the art will appreciate that all or part of the steps implementing the above described embodiments are implemented as a computer program executed by a CPU. The above-described functions defined by the above-described methods provided by the present disclosure are performed when the computer program is executed by a CPU. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic disk or an optical disk, etc.
Furthermore, it should be noted that the above-described figures are merely illustrative of the processes involved in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 7 is a block diagram illustrating a message data parsing apparatus according to an exemplary embodiment. As shown in fig. 7, the message data parsing device 70 includes an identification module 702, an address module 704, a data module 706, a parsing module 708, and the message data parsing device 70 may further include an instruction module 710.
The identifying module 702 is configured to identify a first layer protocol type of the message data;
the address module 704 is configured to determine a first layer offset query address and a lower layer protocol query address based on the first layer protocol type;
The data module 706 is configured to extract key field data of the packet data based on the first-layer offset query address and a lower-layer protocol query address;
The parsing module 708 is configured to parse the message data based on a preset policy to generate a parsing result when the key field data satisfies the preset policy.
The instruction module 710 is configured to modify the plurality of offset query addresses and the plurality of protocol query addresses in real time according to a data modification instruction.
According to the message data analysis device, the offset memory and the protocol type memory are used for inquiring and allocating the offset and the protocol type in the process of analyzing the message, and the offset memory data inquiry table and the protocol type memory data inquiry table can be updated in real time through the external processor, so that the dynamic configuration of the message analysis type is realized, the FPGA program is not required to be rewritten by modifying codes, and the product updating iteration speed is accelerated.
Fig. 8 is a block diagram of a message data parsing apparatus according to another exemplary embodiment. As shown in fig. 8, the message data parsing device 80 includes a message data parsing apparatus 802, an offset memory 804, a protocol type memory 806, and the message data parsing device 80 may further include a processor 808.
The message data parsing device 802 is configured to identify a first layer protocol type of the message data, determine a first layer offset query address and a lower layer protocol query address based on the first layer protocol type, extract key field data of the message data based on the first layer offset query address and the lower layer protocol query address, parse the message data based on a preset policy to generate a parsing result when the key field data meets the preset policy, where specific internal modules of the message data parsing device 802 may be set as internal modules of the message data parsing device 70.
More specifically, the message data parsing device 802 may be configured to identify a first protocol type of the message data, calculate an offset query address, calculate a lower protocol query address, extract key field data, and receive data matching switch information sent by the processor.
The offset memory 804 is configured to store a plurality of offset query addresses for the message data parsing device to query;
more specifically, the offset memory 804 may be used to output a corresponding offset based on the received query address, receiving a processor data modification instruction.
The protocol type memory 806 is configured to store a plurality of protocol query addresses for querying by the packet data parsing device.
More specifically, the protocol type memory 806 may be configured to output a corresponding protocol type based on the received query address and receive a processor data modification instruction.
The processor 808 is configured to modify the plurality of offset query addresses and the plurality of protocol query addresses in real time according to the data modification instruction.
According to the message data analysis equipment, the first-layer protocol type of the message data is identified, the first-layer offset query address and the lower-layer protocol query address are determined based on the first-layer protocol type, key field data of the message data are extracted based on the first-layer offset query address and the lower-layer protocol query address, when the key field data meet a preset strategy, the message data are analyzed based on the preset strategy to generate an analysis result, and an offset memory data query table and a protocol type memory data query table can be updated in real time, so that dynamic configuration of the message analysis type is realized, a code is not required to be modified to rewrite an FPGA program, and the product updating iteration speed is accelerated.
Fig. 9 is a block diagram of an electronic device, according to an example embodiment.
An electronic device 900 according to such an embodiment of the present disclosure is described below with reference to fig. 9. The electronic device 900 shown in fig. 9 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 9, the electronic device 900 is embodied in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to, at least one processing unit 910, at least one storage unit 920, a bus 930 connecting the different system components (including storage unit 920 and processing unit 910), a display unit 940, and the like.
Wherein the storage unit stores program code that is executable by the processing unit 910 such that the processing unit 910 performs steps described in the present specification according to various exemplary embodiments of the present disclosure. For example, the processing unit 910 may perform the steps as shown in fig. 2, 3.
The storage unit 920 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 9201 and/or cache memory 9202, and may further include Read Only Memory (ROM) 9203.
The storage unit 920 may also include a program/utility 9204 having a set (at least one) of program modules 9205, such program modules 9205 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus 930 may be one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 900 may also be in communication with one or more external devices 900' (e.g., keyboard, pointing device, bluetooth device, etc.), devices that enable a user to interact with the electronic device 900, and/or any devices (e.g., routers, modems, etc.) that the electronic device 900 can communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 950. Also, electronic device 900 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 960. The network adapter 960 can communicate with other modules of the electronic device 900 via the bus 930. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 900, including, but not limited to, microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, as shown in fig. 10, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiments of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of a readable storage medium include an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The computer readable medium carries one or more programs, and when the one or more programs are executed by the equipment, the computer readable medium realizes the functions of identifying the first layer protocol type of the message data, determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type, extracting key field data of the message data based on the first layer offset query address and the lower layer protocol query address, and analyzing the message data based on a preset strategy to generate an analysis result when the key field data meets the preset strategy. The computer readable medium may also implement the function of modifying the plurality of offset query addresses and the plurality of protocol query addresses in real time according to data modification instructions.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solutions according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and include several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the disclosure is not to be limited to the details of construction, arrangement or method of implementation described herein, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (8)
1. The message data analysis method is characterized by comprising the following steps:
Identifying the first layer protocol type of the message data;
Determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type;
The key field data of the message data is extracted based on the first-layer offset query address and a lower-layer protocol query address, and the key field data is extracted by determining offset data based on the first-layer offset query address, determining a protocol type based on the lower-layer protocol query address, offsetting the message data based on the offset data, and analyzing the offset message data according to the protocol type;
When the key field data meets a preset strategy, analyzing the message data based on the preset strategy to generate an analysis result;
Determining a lower protocol type based on the key field data when the key field data does not meet a preset strategy;
determining a lower-layer offset query address and a last-layer protocol query address based on the lower-layer protocol type;
And analyzing the message data based on the lower-layer offset query address and the last-layer protocol query address to generate an analysis result.
2. The method as recited in claim 1, further comprising:
Storing a plurality of offset query addresses based on an offset memory;
the protocol type based querier stores a plurality of protocol query addresses.
3. The method as recited in claim 2, further comprising:
and modifying the plurality of offset inquiry addresses and the plurality of protocol inquiry addresses in real time according to a data modification instruction.
4. The method of claim 1, wherein determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type comprises:
determining the first layer offset query address based on the data length information of the first layer protocol type;
and determining the inquiry address of the lower layer protocol based on the data length information of the first layer protocol type.
5. The method of claim 1, wherein when the key field data satisfies a preset policy, parsing the message data based on the preset policy to generate a parsing result, comprising:
and when the key field data is a TCP protocol, analyzing the message data according to the TCP protocol to generate an analysis result.
6. A message data parsing apparatus, comprising:
the identification module is used for identifying the first layer protocol type of the message data;
The address module is used for determining a first layer offset inquiry address and a lower layer protocol inquiry address based on the first layer protocol type;
The data module is used for extracting key field data of the message data based on the first-layer offset query address and the lower-layer protocol query address, and comprises the steps of determining offset data based on the first-layer offset query address, determining a protocol type based on the lower-layer protocol query address, offsetting the message data based on the offset data, and analyzing the offset message data according to the protocol type to extract the key field data;
The analysis module is used for analyzing the message data based on the preset strategy to generate an analysis result when the key field data meets the preset strategy, determining a lower protocol type based on the key field data, determining a lower offset query address and a last protocol query address based on the lower protocol type when the key field data does not meet the preset strategy, and analyzing the message data based on the lower offset query address and the last protocol query address to generate the analysis result.
7. The apparatus as recited in claim 6, further comprising:
And the instruction module is used for modifying the multiple offset inquiry addresses and the multiple protocol inquiry addresses in real time according to the data modification instruction.
8. A message data parsing apparatus, comprising:
The message data analyzing device is used for identifying a first layer protocol type of the message data, determining a first layer offset query address and a lower layer protocol query address based on the first layer protocol type, extracting key field data of the message data based on the first layer offset query address and the lower layer protocol query address, analyzing the message data based on the preset strategy to generate an analyzing result when the key field data meets the preset strategy, determining a lower layer protocol type based on the key field data, determining a lower layer offset query address and a lower layer protocol query address based on the lower layer protocol type when the key field data does not meet the preset strategy, analyzing the message data based on the lower layer offset query address and the lower layer protocol query address to generate an analyzing result, wherein extracting the key field data of the message data based on the first layer offset query address and the lower layer protocol query address comprises determining an offset data based on the first layer offset query address, analyzing the message data based on the lower layer protocol query address to determine a type, analyzing the message data based on the offset data and extracting the key field data according to the offset type;
the offset storage is used for storing a plurality of offset inquiry addresses so that the message data analysis device can inquire;
And the protocol type memory is used for storing a plurality of protocol inquiry addresses so that the message data analysis device can inquire.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111273061.1A CN114006956B (en) | 2021-10-29 | 2021-10-29 | Message data analysis method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111273061.1A CN114006956B (en) | 2021-10-29 | 2021-10-29 | Message data analysis method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006956A CN114006956A (en) | 2022-02-01 |
| CN114006956B true CN114006956B (en) | 2024-12-03 |
Family
ID=79925207
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111273061.1A Active CN114006956B (en) | 2021-10-29 | 2021-10-29 | Message data analysis method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006956B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150481B (en) * | 2022-09-02 | 2022-11-25 | 浙江工企信息技术股份有限公司 | Unknown communication protocol equipment-oriented code point address detection method and system |
| CN115767144B (en) * | 2022-10-26 | 2024-07-23 | 杭州迪普科技股份有限公司 | Method and device for determining uploading object of target video |
| CN115842874B (en) * | 2022-11-21 | 2025-08-01 | 北京天融信网络安全技术有限公司 | Data processing method and device based on multi-protocol multi-port service |
| CN116192994A (en) * | 2022-12-19 | 2023-05-30 | 深圳昂楷科技有限公司 | Data analysis method, device, computer equipment, medium and product |
| CN118075227B (en) * | 2024-02-20 | 2024-10-29 | 广东联想懂的通信有限公司 | Method for accurately matching domain name and variable domain name and IP |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554002A (en) * | 2015-12-22 | 2016-05-04 | 曙光信息产业股份有限公司 | Tunnel message analyzing method and device |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1331336C (en) * | 2004-05-25 | 2007-08-08 | 华中科技大学 | Rapid analyzing method for data pack |
| US7599364B2 (en) * | 2005-09-13 | 2009-10-06 | Agere Systems Inc. | Configurable network connection address forming hardware |
| KR100850353B1 (en) * | 2005-12-08 | 2008-08-04 | 한국전자통신연구원 | Service quality provision method using address system and address interpretation communication protocol |
| CN103561130A (en) * | 2013-11-06 | 2014-02-05 | 北京神州绿盟信息安全科技股份有限公司 | Network address translation device and method suitable for multiple application layer protocols |
| US10846424B2 (en) * | 2014-09-05 | 2020-11-24 | Medidata Solutions, Inc. | Method for multi-tiered, rule-based data sharing and ontology mapping |
| CN106936799B (en) * | 2015-12-31 | 2021-05-04 | 阿里巴巴集团控股有限公司 | Message cleaning method and device |
| CN107547407B (en) * | 2017-09-15 | 2021-03-09 | 新华三技术有限公司 | Message transmission method, device and implementation device |
| CN109474641B (en) * | 2019-01-03 | 2020-05-12 | 清华大学 | Reconfigurable switch forwarding engine resolver capable of destroying hardware trojans |
| US11431829B2 (en) * | 2019-03-06 | 2022-08-30 | Parsons Corporation | Multi-tiered packet processing |
| CN110381054B (en) * | 2019-07-16 | 2022-02-22 | 广东省新一代通信与网络创新研究院 | Message analysis method, device, equipment and computer readable storage medium |
| CN111030998B (en) * | 2019-11-15 | 2021-10-01 | 中国人民解放军战略支援部队信息工程大学 | A configurable protocol parsing method and system |
| CN111935081B (en) * | 2020-06-24 | 2022-06-21 | 武汉绿色网络信息服务有限责任公司 | Data packet desensitization method and device |
| CN112751845B (en) * | 2020-12-28 | 2022-12-02 | 北京恒光信息技术股份有限公司 | Network protocol analysis method, system and device |
| CN112929281B (en) * | 2021-02-04 | 2023-01-10 | 恒安嘉新(北京)科技股份公司 | Message processing method, device and equipment of network equipment based on FPGA |
-
2021
- 2021-10-29 CN CN202111273061.1A patent/CN114006956B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554002A (en) * | 2015-12-22 | 2016-05-04 | 曙光信息产业股份有限公司 | Tunnel message analyzing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006956A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114006956B (en) | Message data analysis method, device and equipment | |
| CN111131037B (en) | Data transmission method, device, medium and electronic equipment based on virtual gateway | |
| CN112347377B (en) | IP address field searching method, service scheduling method, device and electronic equipment | |
| CN109495392B (en) | Message conversion processing method and device, electronic equipment and storage medium | |
| CN103534988A (en) | Publish and subscribe messaging method and apparatus | |
| US7856415B2 (en) | System and method for mapping events into a data structure | |
| CN114338498A (en) | SRv 6-based message processing method, system, electronic equipment and medium | |
| CN114285781B (en) | SRV6 service flow statistics method, device, electronic equipment and medium | |
| US11956292B2 (en) | Legacy environment streaming | |
| CN113766042A (en) | Container address configuration method, system, device, equipment and medium | |
| CN108471401A (en) | A kind of encapsulation of CAN signal, analysis method and device | |
| CN108153803A (en) | A kind of data capture method, device and electronic equipment | |
| CN112291212B (en) | Static rule management method and device, electronic equipment and storage medium | |
| CN114338529B (en) | Five-tuple rule matching method and device | |
| CN114117013A (en) | Hidden Markov-based multi-turn dialogue method and device and electronic equipment | |
| CN114363257B (en) | Five-tuple matching method and device for tunnel message | |
| CN114422164B (en) | Five-tuple table entry issuing device and method | |
| CN111612516A (en) | DMP platform and method based on RTA delivery and electronic equipment | |
| CN109241164A (en) | A kind of data processing method, device, server and storage medium | |
| CN116032614A (en) | Container network micro-isolation method, device, equipment and medium | |
| CN114168652A (en) | A smart contract interaction method, device, device and storage medium | |
| CN115250254B (en) | Netflow message distribution processing method and device | |
| CN114650271B (en) | Global load DNS neighbor site learning method and device | |
| CN116600031B (en) | Message processing method, device, equipment and storage medium | |
| CN113055435B (en) | Cross-environment unified buried point data transmission method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |