Function:
1, protocol conversion
Because the mainstream Internet data communication interfaces used by ISP are 40G POS, 10G POS/WAN/LAN, 2.5G POS, GE, etc. , and the commonly used data receiving interfaces of application servers are GE and 10GE? LAN interface, so usually the protocol conversion mentioned on the Internet communication interface mainly refers to the conversion between 40G POS, 10G POS and 2.5G POS to 10GE LAN or GE, and the bidirectional co-conversion between 10GE WAN and 10GE LAN and GE.
2. Data collection and distribution
Most data acquisition applications basically just extract the traffic they care about and discard the traffic they don't care about. For the concerned traffic, the data traffic of specific IP, specific protocol and specific port is extracted by the way of five-tuple (source IP, destination IP, source port, destination port and protocol) aggregation. When outputting, according to a specific hash algorithm, the same source and purpose are guaranteed, and the load is balanced.
3. Signature filtering
For the collection of P2P traffic, the application system is likely to only pay attention to some specific traffic, such as streaming media PPStream, BT, Thunder, and common keywords such as GET and POST on http, which can be extracted and aggregated through signature matching. The splitter supports fixed position signature filtering and floating signature filtering. Floating signature is an offset specified on the basis of the implementation of fixed position signature, which is suitable for applications where the signature to be filtered is clear, but the specific location of the signature is not clear.
4. Session management
Identify the traffic of session connection and flexibly configure the value of session forwarding n (n = 1 ~ 1024). That is, the first n messages of each session are extracted and forwarded to the back-end application analysis system, and the messages after n values are discarded, saving resources for the downstream application analysis platform. Usually, when using IDS to monitor events, it is not necessary to process all the packets of the whole session, but only the first n packets of each session can be extracted to complete the analysis and monitoring of events.
5. Data mirroring and replication
The shunt can mirror and copy the data on the output interface, which ensures the data access of multiple application systems.
Extended data:
trait
1, independent
It is an independent hardware, which will not bring any impact on the load of existing network equipment, and has great advantages compared with port mirroring and other methods.
It is an online device. Simply put, it needs to be connected in series to the network. But it also brings a disadvantage, that is, it introduces a fault point. At the same time, because it is an online device, the current network needs to be interrupted during deployment. Of course, the impact of a specific outage depends on where it is deployed.
2. Transparency
Transparency means pointing to the current network. After accessing network probe, it has no influence on all devices in the current network and is completely transparent to them. Of course, this also includes the network probe sending traffic to the monitoring equipment, which is also transparent to the network.
Baidu Encyclopedia-Network Probe