Search

CN-117793222-B - Extraction method, device, equipment and storage medium of network analysis data

CN117793222BCN 117793222 BCN117793222 BCN 117793222BCN-117793222-B

Abstract

The application discloses a method, a device, electronic equipment and a computer readable storage medium for extracting network analysis data, which belong to the field of Internet and comprise the steps of capturing a detected data packet from a port of the equipment, determining the network protocol type of the detected data packet, determining a data identification bit of the detected data packet according to the network protocol type of the detected data packet from a preset first corresponding relation, determining a target analysis flow template corresponding to the data identification bit of the detected data packet from a preset second corresponding relation, and analyzing the content to be detected in the detected data packet from the data identification bit of the detected data packet according to the steps in the target analysis flow template. The method solves the problems that in the related technology, the data analysis load is large and the time is long due to the high scale and complexity of the network flow data, the data analysis efficiency is low, and the network flow data cannot be extracted rapidly.

Inventors

  • LI GANG
  • CHE QIAN
  • YU BO
  • WANG ZHIHAI
  • AN PENG
  • FU SHAOBO

Assignees

  • 北京明朝万达科技股份有限公司

Dates

Publication Date
20260505
Application Date
20240104

Claims (9)

  1. 1. A method for analyzing network data, comprising: capturing a detected data packet from a port of the device, and determining the network protocol type of the detected data packet, wherein the detected data packet comprises content to be detected and other content except the content to be detected; Determining a data identification bit of the detected data packet according to the network protocol type of the detected data packet from a preset first corresponding relation, wherein the first corresponding relation is used for storing the corresponding relation between the network protocol type and the data identification bit; Determining a target analysis flow template corresponding to the data identification bit of the detected data packet from a preset second corresponding relation; the analysis flow template is used for recording the specific steps of analyzing the content to be detected of the detected data packet from the data identification bit under the corresponding network protocol type; analyzing the content to be detected in the detected data packet from the data identification bit of the detected data packet according to the steps in the target analysis flow template; Wherein the method further comprises: Capturing a sampling data packet from a port of the device, and determining a data identification bit and a network protocol type of the sampling data packet according to the sampling data packet, wherein the sampling data packet comprises contents to be detected and other contents except the contents to be detected; Storing the network protocol type of the sampling data packet and the data identification bit of the sampling data packet into the first corresponding relation; Generating an analysis flow template for analyzing the sampling data packet according to the network protocol type and the data identification bit of the sampling data packet, wherein the analysis flow template is used for recording the specific steps of analyzing the content to be detected of the sampling data packet from the data identification bit under the corresponding network protocol type; and storing the data identification bits of the sampling data packet and the analysis flow template of the sampling data packet into the second corresponding relation.
  2. 2. The method of claim 1, wherein said determining the data identification bits of the sampled data packet from the sampled data packet comprises: The offset of the sampling data packet is obtained and used for representing the number value of the sampling data packet in the data transmission process; Combining the offset with the data of the sampling data packet to obtain an offset data packet of the sampling data packet, and determining the characteristic code of the offset data packet according to the offset data packet; Searching in a preset third corresponding relation according to the feature codes to determine the data identification bits of the sampled data packets, wherein the corresponding relation between the feature codes and the data identification bits is stored in the third corresponding relation.
  3. 3. The method of claim 2, wherein said combining the offset with the data of the sample packet to obtain the offset packet of the sample packet comprises: and performing exclusive-or operation on the offset and the data of the sampling data packet, and taking the sampling data packet after the exclusive-or operation as an offset data packet.
  4. 4. The method of claim 2, wherein said determining a signature encoding of said offset data packet based on said offset data packet comprises: And taking the summary data of the offset data packet as the characteristic code of the offset data packet.
  5. 5. The method of claim 1, wherein prior to said determining the data identification bits and network protocol type of said sampled data packet from said sampled data packet, said method further comprises: And extracting key data in the sampling data packet to obtain a simplified sampling data packet, wherein the key data comprises one or more of a type of a command stored in the data packet, a parameter of the command, a response state code, identity verification information and repeated information.
  6. 6. The method of claim 1, wherein the method further comprises: And under the condition that the identification bit does not obtain a target analysis flow template corresponding to the data characteristic of the detected data packet, taking the detected data packet as a sampling data packet, and entering the step of determining the data identification bit and the network protocol type of the sampling data packet according to the sampling data packet.
  7. 7. An apparatus for analyzing network data, the apparatus comprising: the system comprises a capture module, a capture module and a control module, wherein the capture module is used for capturing a detected data packet from a port of equipment and determining the network protocol type of the detected data packet, wherein the detected data packet comprises content to be detected and other content except the content to be detected; The system comprises a first relation module, a first relation module and a second relation module, wherein the first relation module is used for determining a data identification bit of a detected data packet according to the network protocol type of the detected data packet from a preset first corresponding relation; The system comprises a first relation module, a second relation module, a first relation module and a second relation module, wherein the first relation module is used for determining a target analysis flow template corresponding to a data identification bit of a detected data packet from a preset first corresponding relation; The data analysis module is used for analyzing the content to be detected in the detected data packet from the data identification bit of the detected data packet according to the steps in the target analysis flow template; wherein the apparatus further comprises: The sampling module is used for capturing a sampling data packet from a port of the equipment and determining a data identification bit and a network protocol type of the sampling data packet according to the sampling data packet, wherein the sampling data packet comprises contents to be detected and other contents except the contents to be detected; the first relation storage module is used for storing the network protocol type of the sampling data packet and the data identification bit of the sampling data packet into the first corresponding relation; The analysis module is used for generating an analysis flow template for analyzing the sampling data packet according to the network protocol type and the data identification bit of the sampling data packet, wherein the analysis flow template is used for recording the specific steps of analyzing the content to be detected of the sampling data packet from the data identification bit under the corresponding network protocol type; And the second relation storage module is used for storing the data identification bits of the sampling data packet and the analysis flow template of the sampling data packet into the second corresponding relation.
  8. 8. An electronic device comprising a processor, a memory for storing instructions executable by the processor; Wherein the processor is configured to execute the instructions to implement the method of any one of claims 1 to 6.
  9. 9. A computer readable storage medium, characterized in that instructions in the computer readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the method of any one of claims 1 to 6.

Description

Extraction method, device, equipment and storage medium of network analysis data Technical Field The application belongs to the field of Internet, and particularly relates to a network data analysis method, a network data analysis device, electronic equipment and a computer readable storage medium. Background Passive interception refers to monitoring and capturing traffic during transmission of network traffic, but without intervening or modifying the traffic to obtain relevant information of the traffic, such as traffic, communication mode, application usage, security events, etc. Compared with active monitoring, passive monitoring has the advantages of not affecting normal operation of the network, not causing dislike of network users, not violating network compliance and the like. The extraction method of passive monitoring network traffic data generally requires the use of a special packet grasping tool and a data packet analyzing tool, and a special storage system. The packet grabbing tool is used for capturing the data packets from the transmission ports of the network, the data packet analysis tool is used for carrying out deep analysis, protocol identification, application program identification and the like on the data packets, and the storage system is used for storing and managing the data packets. The performance and efficiency of these tools and systems directly impact the quality and speed of extraction of network traffic data. . However, the existing passive monitoring network traffic data extraction method needs to completely analyze different data packets each time due to higher scale and complexity of the network traffic data, consumes a large amount of computing resources and time, and causes low data analysis efficiency, so that the network traffic data cannot be extracted rapidly. Disclosure of Invention The application aims to provide a network data analysis method, a device, electronic equipment and a computer readable storage medium, which at least solve the problems of large data analysis load and long time consumption in the extraction process of network analysis data. In a first aspect, an embodiment of the present application discloses a method for analyzing network data, including: capturing a detected data packet from a port of the device, and determining the network protocol type of the detected data packet, wherein the detected data packet comprises content to be detected and other content except the content to be detected; Determining a data identification bit of the detected data packet according to the network protocol type of the detected data packet from a preset first corresponding relation, wherein the first corresponding relation is used for storing the corresponding relation between the network protocol type and the data identification bit; Determining a target analysis flow template corresponding to the data identification bit of the detected data packet from a preset second corresponding relation; the analysis flow template is used for recording the specific steps of analyzing the content to be detected of the detected data packet from the data identification bit under the corresponding network protocol type; And analyzing the content to be detected in the detected data packet from the data identification bit of the detected data packet according to the steps in the target analysis flow template. In a second aspect, an embodiment of the present application further discloses an apparatus for analyzing network data, where the apparatus includes: the system comprises a capture module, a capture module and a control module, wherein the capture module is used for capturing a detected data packet from a port of equipment and determining the network protocol type of the detected data packet, wherein the detected data packet comprises content to be detected and other content except the content to be detected; The system comprises a first relation module, a first relation module and a second relation module, wherein the first relation module is used for determining a data identification bit of a detected data packet according to the network protocol type of the detected data packet from a preset first corresponding relation; The system comprises a first relation module, a second relation module, a first relation module and a second relation module, wherein the first relation module is used for determining a target analysis flow template corresponding to a data identification bit of a detected data packet from a preset first corresponding relation; And the data analysis module is used for analyzing the content to be detected in the detected data packet from the data identification bit of the detected data packet according to the steps in the target analysis flow template. In a third aspect, an embodiment of the present application further discloses an electronic device, including a processor and a memory, where the memory stores a program or instructions executable on the pr