面向应急响应的高速网络流量采集设计与实现

doi:10.3969/j.issn.1000-436x.2014.z1.010

摘要/Abstract

摘要：

摘要：网络安全应急响应在网络分析和追踪时需要应急采集，即捕获特定IP、端口、协议的原始分组。基于高速网络分组捕获工具PF_RING DNA，利用多核多线程并发采集与规则匹配的网络分组，并分配共享缓冲区提高分组的磁盘存储性能，同时通过对采集规则设置不同的状态，实现动态添加采集规则和人为干预采集过程。实验结果表明，在双万兆网卡的环境下，应急采集系统可以捕获并处理19.98 bit/s(3.5 Mpacket/s)的网络流量，最大应急采集速率为1 297 Mbit/s（204.9 kpacket/s）。

关键词: 应急响应, PF_RINGDNA, 分组采集, 动态规则

Abstract:

In the network analysis and tracking,network security emergency response needs a emsrgency sensor that captures saw packets of specific IP,port,protocol.Base on the high-speed packet capture tool PF_RING DNA,it uses mutil-thread to capture network packets that match sensor rules,and allocates the shared buffer to improve the performance of the disk storage of packets,at the same time through setting different states for the packet sensor rule,impliments adding sensor rules and human intervention dynamically.The experimental results show that in the dual 10 Gigabit NICs environment,emergency sensor can capture and handle network traffic of 19.98 Gbit/s(3.5 Mpacket/s),and the maximum rate of emergency sensor is 1 297 Mbit/s(204.9 kpacket/s).

Key words: emergency response, PF_RING DNA, packet capture, dynamic rule

马亚洲,龚俭,杨望. 面向应急响应的高速网络流量采集设计与实现[J]. 通信学报, 2014, 35(Z1): 46-51.

Ya-zhou MA,Jian GONG,Wang YANG. Design and implementation of high-speed network traffic sensor for emergency response[J]. Journal on Communications, 2014, 35(Z1): 46-51.

图/表 12

图1

图2

图3

表1

图4

图5

表2

图6

图7

图8

图9

图10

参考文献 8

[1]	孙成峰 . 面向万兆网络的滥用入侵检测系统改进[D]. 东南大学, 2013. SUN C F . The Improvement of Misuse Intrusion Detection System in 10 Gbps Ethernet[D]. Southeast University, 2013.
[2]	吕少阳 . CHAIRS系统运行管理与离线检测的设计与实现[D]. 东南大学, 2013. LV S Y . The Research and Implementation of Operation Management System and Offline Detection System of CHAIRS[D]. Southeast University, 2013.
[3]	林洪周 . 万兆网络数据包捕获系统的研究与开发[D]. 华中科技大学, 2008. LIN H Z . The Research and Development of 10 Gbps Network Packet Capture System[D]. Huazhong University of Science & Technology, 2008.
[4]	张显, 黎文伟 . 基于多核平台的数据包捕获方法性能评估[J]. 计算机应用研究， 2011. ZHANG X , LI W W . Performance evaluation of packet capture methods based on multi-core platform[J]. Application Research of Computer, 2011,28(7).
[5]	Packet Capture Performance at 10 Gbit:PF_RING vs TNAPI[EB/OL]. .
[6]	钟婷, 刘勇, 耿技 . 基于 IXP2400 网络处理器的高速包过滤的研究[J]. 计算机应用, 2005,25(11). ZHONG T , LIU Y , GENG J . Study on fast packet filter under network processor IXP2400[J]. Computer Application, 2005,25(11).
[7]	CAMPBELL S , MELLANDER J . Experiences with intrusion detection in high performance computing[J]. CUG， 2011.
[8]	王韬 . 高速网络环境下的报文监测[D]. 东南大学, 2004. WANG T . Packet Sensor on High Speed Network[D]. Southeast University, 2004.

采集规则内容	说明
源IP	源IP或源IP地址段
宿IP	宿IP或宿IP地址段
源宿IP关系	源宿IP“且”、“或”关系
协议	运输层协议
源端口	源端口号
宿端口	宿端口号
源宿端口关系	源宿端口“且”、“或”关系
采集开始时间	单位为s
采集结束时间	单位为s

配置	规格
	Intel(R) Xeon(R) CPU
CPU
	E5-2650 0 @ 2.00 GHz
内存	DDR3 32 G
	CentOS release 6.5 (Final)
操作系统
	Linux fire 2.6.32-431.el6.x86_64
网卡类型	Intel(R) 10 Gigabit Network Connection
网卡驱动	ixgbe 3.10.16-DNA
分组捕获工具	PF_RING DNA v.5.6.1
磁盘	SCSI 299 GB