CN112448864B

CN112448864B - Flow alarm monitoring method and device, computer equipment and storage medium

Info

Publication number: CN112448864B
Application number: CN202011208352.8A
Authority: CN
Inventors: 晏平
Original assignee: Individual
Current assignee: Individual
Priority date: 2020-11-03
Filing date: 2020-11-03
Publication date: 2022-08-05
Anticipated expiration: 2040-11-03
Also published as: CN112448864A

Abstract

The invention relates to a flow alarm monitoring method, a device, computer equipment and a storage medium, wherein the method comprises the steps of obtaining a user request; carrying out alarm definition of flow according to a user request; reading all traffic data information acquired based on a network flow acquisition protocol, and performing alarm analysis on all traffic data information to obtain an analysis result; performing visual traffic alarm prompt on the network topology according to the analysis result; and carrying out visual flow alarm prompt on the alarm popup window according to the analysis result. The invention is suitable for the flow monitoring of a large-scale network, has low deployment cost, and can visualize the flow alarm prompt on the network topology, and the link generating the flow alarm has corresponding color flicker change and alarm popup prompt.

Description

Flow alarm monitoring method and device, computer equipment and storage medium

Technical Field

The invention relates to a flow monitoring method, in particular to a flow alarm monitoring method, a flow alarm monitoring device, computer equipment and a storage medium.

Background

The network flow alarm is one of the important means for network evaluation, and is also the basis for network adjustment and service structure optimization. The traditional network traffic monitoring tool can not prompt the traffic overrun, can not bring any help to a network administrator, and can not monitor network activities for 24 multiplied by 7 days. Most of the traditional network traffic monitoring tools use port mirror image and hardware probe to monitor traffic. The monitoring mode based on the hardware probe needs to add a large number of probes for the traffic monitoring of the large-scale network, the overhead of the network equipment is increased due to the analysis based on the port traffic mirroring protocol, and the performance of the network equipment is affected by the mode based on the probes and the port mirroring. Some network traffic monitoring tools use SNMP to perform port traffic polling, and traffic data information provided by a traffic monitoring technology based on SNMP, namely a simple network management protocol, is not rich enough, and meanwhile, the granularity of traffic sampling time is large, so that the data monitored by the SNMP traffic is not accurate enough.

Therefore, it is necessary to design a new method, which is suitable for traffic monitoring of a large-scale network, has low deployment cost, and can visualize traffic alarm prompts on a network topology, and a link where traffic alarm occurs has corresponding color flicker change and has alarm popup prompt.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a flow alarm monitoring method, a flow alarm monitoring device, computer equipment and a storage medium.

In order to achieve the purpose, the invention adopts the following technical scheme: the flow alarm monitoring method comprises the following steps:

acquiring a user request;

performing alarm definition of flow according to the user request;

reading all traffic data information acquired based on a network flow acquisition protocol, and performing alarm analysis on all traffic data information to obtain an analysis result;

performing visual traffic alarm prompt on the network topology according to the analysis result;

and carrying out visual flow alarm prompt on an alarm popup window according to the analysis result.

The further technical scheme is as follows: the alarm definition of the flow according to the user request comprises the following steps:

carrying out flow alarm configuration according to the user request to obtain a configuration label;

and defining the alarm monitoring of the flow corresponding to the configuration label based on the bandwidth utilization rate, the duration and the monitoring time period.

The further technical scheme is as follows: the performing traffic alarm configuration according to the user request to obtain a configuration tag includes:

judging whether the user request is the alarm configuration of input flow;

if the user request is the alarm configuration of the input flow, judging whether the input flow alarm configuration corresponding to the port exists;

if the input flow alarm configuration corresponding to the existing port exists, inquiring the existing input flow alarm configuration of the corresponding port, and caching the existing input flow alarm configuration of the corresponding port;

formatting and fusing input flow alarm configuration corresponding to the user request to obtain input configuration;

marking the input configuration with a corresponding label to obtain a configuration label;

if the input flow alarm configuration corresponding to the port does not exist, analyzing the user request to obtain the input flow alarm configuration corresponding to the user request, and executing formatting and fusion of the input flow alarm configuration corresponding to the user request to obtain the input configuration;

if the user request is not the alarm configuration of the input flow, judging whether the user request is the alarm configuration of the output flow;

if the user request is the alarm configuration of the output flow, inquiring the existing output flow alarm configuration of the corresponding port, and caching the existing output flow alarm configuration of the corresponding port;

formatting and fusing output flow alarm configuration corresponding to the user request to obtain output configuration;

marking the output configuration with a corresponding label to obtain a configuration label;

and if the output flow alarm configuration corresponding to the port does not exist, analyzing the user request to obtain the output flow alarm configuration corresponding to the user request, and executing formatting and fusion of the output flow alarm configuration corresponding to the user request to obtain the output configuration.

The further technical scheme is as follows: the definition of alarm monitoring on the traffic corresponding to the configuration tag based on the bandwidth utilization rate, the duration and the monitoring period comprises the following steps:

judging whether the flow alarm configuration corresponding to the configuration label is empty or not;

if the traffic alarm configuration corresponding to the configuration tag is not empty, judging whether the traffic alarm configuration corresponding to the configuration tag contains the configuration of the bandwidth utilization rate;

if the flow alarm configuration corresponding to the configuration label comprises the configuration of the bandwidth utilization rate, caching the bandwidth utilization rate configuration;

judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the duration time or not;

if the flow alarm configuration corresponding to the configuration label contains the configuration of the duration, caching the configuration of the duration;

judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the monitoring time period or not;

if the flow alarm configuration corresponding to the configuration tag contains the configuration of the monitoring time period, caching the configuration of the monitoring time period;

and performing persistent storage on the flow alarm configuration corresponding to the configuration label.

The further technical scheme is as follows: the reading of all traffic data information acquired based on a network flow acquisition protocol and the alarm analysis of all traffic data information to obtain an analysis result include:

reading all flow data information acquired based on a network flow acquisition protocol;

judging whether a port corresponding to the read flow data information is in a monitoring time range or not;

if the port corresponding to the read flow data information is in the monitoring time range, judging whether the flow in the current time period exceeds the limit value of the bandwidth;

if the flow in the current time period does not exceed the limit value of the bandwidth, setting the flow state as that the current flow does not exceed the standard so as to obtain an analysis result;

if the flow in the current time period exceeds the limited value of the bandwidth, updating the time mark which continuously exceeds the limited value of the bandwidth;

judging whether the time mark exceeds a duration limit value or not;

if the time mark exceeds the duration limit value, setting the time mark to be zero;

setting the flow state as the continuous exceeding of the flow to obtain an analysis result;

and if the time mark does not exceed the duration limit value, setting the flow state as the current flow exceeding to obtain an analysis result.

The further technical scheme is as follows: the performing of the visual traffic alarm prompt on the network topology according to the analysis result includes:

the link information with the flow alarm is pushed to the terminal, so that the terminal obtains the link state of the link information with the flow alarm, the terminal judges whether the link state is the flow continuous standard exceeding, and if the link state is the flow continuous standard exceeding, the terminal judges whether the link state is recovered after the flow exceeds the standard;

if the link state is recovered after the flow exceeds the standard, searching a link corresponding to the alarm on the network topology, searching a link corresponding to the network topology through the attribute of the alarm link, judging whether the corresponding link can be searched on the network topology, if so, sending the searched link state to the terminal so that the terminal judges whether the link state needs to be updated, and if so, judging whether the link needs to be flashed by the alarm;

if the link needs to alarm and flash, setting the link state as flashing on the network topology;

and if the link does not need to be alarmed and flickered, setting the link state as non-flickering on the network topology.

The further technical scheme is as follows: the process of carrying out visual flow alarm prompt on the alarm popup according to the analysis result comprises the following steps:

and pushing flow alarm information to the terminal according to the analysis result so that the terminal acquires an alarm type in the flow alarm information, judging whether the alarm type is selected in the flow pushing configuration, if the alarm type is selected in the flow pushing configuration, judging whether the flow alarm information is in a flow continuous standard exceeding state, if the flow alarm information is in the flow continuous standard exceeding state, judging whether the flow alarm information is in the flow standard exceeding state and then recovering, if the flow alarm information is in the flow standard exceeding state and then recovering, analyzing the flow alarm information to obtain specific content, displaying the specific content in a real-time alarm frame in a list mode, judging whether a real-time alarm window is selected and popped up automatically, and if the flow alarm window is selected and popped up automatically, popping up and displaying the real-time alarm frame in a window.

The invention also provides a flow alarm monitoring device, comprising:

a request acquisition unit for acquiring a user request;

the definition unit is used for carrying out the alarm definition of the flow according to the user request;

the analysis unit is used for reading all the flow data information acquired based on the network flow acquisition protocol and carrying out alarm analysis on all the flow data information to obtain an analysis result;

the topology display unit is used for carrying out visual traffic alarm prompt on the network topology according to the analysis result;

and the popup window display unit is used for carrying out visual flow alarm prompt on the alarm popup window according to the analysis result.

The invention also provides a computer device, which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor executes the computer program to realize the method.

The invention also provides a storage medium storing a computer program which, when executed by a processor, is operable to carry out the method as described above.

Compared with the prior art, the invention has the beneficial effects that: the invention carries out alarm definition of input quantity and output flow according to the user request, carries out alarm monitoring self-definition on the utilization rate, duration and monitoring time period of bandwidth, carries out alarm analysis on the acquired information based on all flow data information acquired by a NetFlow, CFlow and NetStream network flow acquisition protocol, and carries out visual flow alarm prompt on the network topology and the alarm popup window, thereby realizing the flow monitoring suitable for a large-scale network, having low deployment cost, being capable of visualizing the flow alarm prompt on the network topology, having corresponding color flicker change on the link generating the flow alarm and simultaneously having the alarm popup prompt.

The invention is further described below with reference to the accompanying drawings and specific embodiments.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic view of an application scenario of a traffic alarm monitoring method according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of a flow alarm monitoring method according to an embodiment of the present invention;

fig. 3 is a schematic block diagram of a flow alarm monitoring device according to an embodiment of the present invention;

FIG. 4 is a schematic block diagram of a computer device provided by an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.

Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a traffic alarm monitoring method according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of a traffic alarm monitoring method according to an embodiment of the present invention. The flow alarm monitoring method is applied to a server. The server performs data interaction with the terminal, performs flow analysis based on NetFlow, CFlow and NetStream technologies through the server, and displays alarm content on a network topology and an alarm popup window, wherein the popup window display is completed depending on the terminal.

Fig. 2 is a schematic flow chart of a traffic alarm monitoring method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S150.

And S110, acquiring a user request.

In this embodiment, the user request refers to a definition request for a traffic alarm input by the terminal, and when the server receives the request, the server performs alarm definition first, then performs traffic monitoring, and displays a monitored alarm result.

And S120, performing alarm definition of the flow according to the user request.

In this embodiment, the alarm definition can be performed on the input traffic and the output traffic, and the alarm monitoring customization can be performed on the utilization rate, the duration and the monitoring period of the bandwidth.

In one embodiment, the step S120 may include steps S121 to S122.

And S121, carrying out flow alarm configuration according to the user request to obtain a configuration label.

In this embodiment, the configuration tag is a tag indicating whether traffic is an input type or an output type.

In one embodiment, the step S121 may include steps S121 a-S121 k.

S121a, judging whether the user request is the alarm configuration of input flow;

s121b, if the user request is the alarm configuration of input flow, judging whether the input flow alarm configuration corresponding to the port exists;

s121c, if the input flow alarm configuration corresponding to the existing port exists, inquiring the existing input flow alarm configuration of the corresponding port, and caching the existing input flow alarm configuration of the corresponding port;

s121d, formatting and fusing input flow alarm configuration corresponding to the user request to obtain input configuration;

and S121e, marking the input configuration with a corresponding label to obtain a configuration label.

When the port corresponding to the user request has the input flow alarm configuration, the configuration is directly cached, the configuration corresponding to the user request is formatted and fused, and a new input configuration is obtained.

S121f, if there is no input traffic alarm configuration corresponding to the port, analyzing the user request to obtain an input traffic alarm configuration corresponding to the user request, and executing the step S121 d.

And when the port corresponding to the user request does not have the corresponding input flow alarm configuration, directly analyzing the configuration corresponding to the user request for formatting and fusion to obtain new input configuration.

S121g, if the user request is not the alarm configuration of the input flow, judging whether the user request is the alarm configuration of the output flow;

s121h, if the user request is the alarm configuration of the output flow, inquiring the existing output flow alarm configuration of the corresponding port, and caching the existing output flow alarm configuration of the corresponding port;

s121i, formatting and fusing output flow alarm configuration corresponding to the user request to obtain output configuration;

and S121j, marking the output configuration with a corresponding label to obtain a configuration label.

When the port corresponding to the user request is related to the output flow alarm configuration, the configuration is directly cached, the configuration corresponding to the user request is formatted and fused, and a new output configuration is obtained.

S121k, if the output traffic alarm configuration corresponding to the port does not exist, analyzing the user request to obtain the output traffic alarm configuration corresponding to the user request, and executing the step S121 i.

And when the port corresponding to the user request does not have the corresponding output flow alarm configuration, directly analyzing the configuration corresponding to the user request for formatting and fusion to obtain new output configuration.

And S122, defining alarm monitoring on the flow corresponding to the configuration label based on the bandwidth utilization rate, the duration and the monitoring time period.

In one embodiment, the step S122 may include steps S1221 to S1228.

S1221, judging whether the flow alarm configuration corresponding to the configuration label is empty;

if the flow alarm configuration corresponding to the configuration label is empty, entering an ending step;

s1222, if the traffic alarm configuration corresponding to the configuration tag is not empty, determining whether the traffic alarm configuration corresponding to the configuration tag includes a configuration of bandwidth utilization;

if the traffic alarm configuration corresponding to the configuration tag does not include the configuration of the bandwidth utilization rate, execute step S1224;

s1223, if the flow alarm configuration corresponding to the configuration label contains the configuration of the bandwidth utilization rate, caching the bandwidth utilization rate configuration;

s1224, judging whether the traffic alarm configuration corresponding to the configuration tag contains the configuration of the duration;

if the traffic alarm configuration corresponding to the configuration tag does not include the configuration of the duration, executing step S1226;

s1225, if the flow alarm configuration corresponding to the configuration tag contains the configuration of the duration, caching the configuration of the duration;

s1226, judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the monitoring time period;

s1227, if the flow alarm configuration corresponding to the configuration tag contains the configuration of the monitoring time period, caching the configuration of the monitoring time period;

and S1228, performing persistent storage on the flow alarm configuration corresponding to the configuration label.

In this embodiment, the traffic alarm configuration corresponding to the configuration tag is mainly configured by the bandwidth utilization configuration, the duration configuration, and the monitoring period of the cache.

The content of the stored traffic alarm configuration corresponding to the configuration tag is shown in table 1 below.

Table 1. contents of the traffic alarm configuration corresponding to the configuration tag

If the traffic alarm configuration corresponding to the configuration tag does not include the configuration of the monitoring period, the step S1228 is executed.

S130, reading all the flow data information acquired based on the network flow acquisition protocol, and performing alarm analysis on all the flow data information to obtain an analysis result.

In this embodiment, the analysis result refers to a result formed by analyzing whether the flow exceeds the standard or not.

In one embodiment, the step S130 may include steps S131 to S139.

S131, reading all flow data information collected based on the network flow collection protocol.

In this embodiment, the traffic data information refers to input traffic and output traffic of a certain port.

The information acquisition is carried out based on network flow acquisition protocols such as NetFlow, CFlow and NetStream, the support for the NetFlow, the CFlow and the NetStream is good, and the method can be suitable for flow alarm monitoring of large networks.

Currently, NetFlow, CFlow and NetStream technologies are the only traffic analysis mode supported by routers, the NetFlow technology is mature and becomes the most important industry standard for IP traffic statistics and analysis in the internet field, the traffic analyzed by NetFlow is large, and the NetFlow is applicable to traffic monitoring of large networks and low in deployment cost.

Specifically, NetFlow, CFlow, and NetStream form original data according to a certain aggregation statistical rule for data streams within a specified time, and store the original data in a cache, and when timeout time is reached or the cache is full, send the data in the cache to a specified receiver according to a certain format. The message structure of NetFlow, CFlow and NetStream protocol contains the serial number of the inflow Interface and the serial number of the outflow Interface, and the serial number of the Interface is the 16-system SNMP Interface Index of the Interface. Ingress and egress interface numbers can distinguish between ingress and egress conditions of the flows in each network device. Through the analysis of each Flow protocol message, the conditions of port inflow and port outflow can be respectively counted, so that the input Flow and the output Flow are distinguished and respectively counted.

In this embodiment, all traffic data may be read for one minute.

S132, judging whether the port corresponding to the read flow data information is in a monitoring time range;

if the port corresponding to the read flow data information is not in the monitoring time range, entering an ending step;

s133, if the port corresponding to the read flow data information is in the monitoring time range, judging whether the flow in the current time period exceeds a limit value of the bandwidth;

s134, if the flow in the current time period does not exceed the limit value of the bandwidth, setting the flow state as that the current flow does not exceed the standard so as to obtain an analysis result;

s135, if the flow in the current time period exceeds the limited value of the bandwidth, updating the time mark continuously exceeding the limited value of the bandwidth;

s136, judging whether the time mark exceeds a duration time limit value or not;

s137, if the time mark exceeds the duration time limit value, setting the time mark to be zero;

s138, setting the flow state as the continuous exceeding of the flow to obtain an analysis result;

and S139, if the time mark does not exceed the duration limit value, setting the flow state as the current flow exceeding to obtain an analysis result.

In the present embodiment, the duration limit is preset, such as three minutes.

And S140, performing visual traffic alarm prompting on the network topology according to the analysis result.

In this embodiment, a traffic alarm prompt can be visualized on a network topology, and a link in which a traffic alarm occurs has a corresponding color flicker change.

In one embodiment, the step S140 may include steps S141 to S144.

S141, pushing the link information with the flow alarm to a terminal so that the terminal can obtain the link state of the link information with the flow alarm, judging whether the link state is the flow continuous standard exceeding or not by the terminal, and if the link state is the flow continuous standard exceeding, judging whether the link state is the flow standard exceeding or not and then recovering;

s142, if the link state is recovered after the flow exceeds the standard, searching a link corresponding to the alarm on the network topology, searching a link corresponding to the network topology through the attribute of the alarm link, judging whether the corresponding link can be searched on the network topology, if the corresponding link is searched on the network topology, sending the searched link state to the terminal so that the terminal judges whether the link state needs to be updated, and if the link state needs to be updated, judging whether the link needs to be flashed by the alarm;

s143, if the link needs to be alarmed and flickered, setting the link state to be flickering on the network topology;

and S144, if the link does not need to be subjected to alarm flashing, setting the link state on the network topology as non-flashing.

Specifically, after calculating a link flow alarm state, the server actively pushes link information with flow alarm to the terminal; after receiving traffic alarm link information actively pushed by a server, a terminal acquires a link state therein; the terminal judges whether the acquired link state is the flow continuous standard exceeding or not, if the flow continuous standard exceeding is detected, the link corresponding to the alarm is searched in the topology, whether the corresponding link can be searched in the topology is judged, after the corresponding link is found in the topology, the state of the current link is acquired for later state comparison, and the current link state and the alarm link state are used for comparison: if the current link state is continuously overproof and the alarm link state is continuously overproof, the link state needs to be updated and the flashing time is updated, if the current link state is continuously overproof and the alarm link state is recovered after overproof, the link state needs to be updated, and if the current link state is normal and the alarm link state is continuously overproof, the link state needs to be updated; if the current link state is recovered after exceeding the standard and the alarm link state is continuously exceeding the standard, the link state needs to be updated; no other cases require updating the link state. If the flow does not continuously exceed the standard, the terminal judges whether the acquired link state is recovered after the flow exceeds the standard, if the flow exceeds the standard, the terminal executes the link corresponding to the alarm searched in the topology, and if not, the terminal ends the processing.

Specifically, searching for the link corresponding to the alarm topologically is performed by searching for the link corresponding to the topology through the attributes of the router information, the link IP and the like carried by the alarm link;

if the current link state is continuously overproof and the alarm link state is continuously overproof, the link state needs to be updated, and the flashing time is updated; if the current link state is normal and the alarm link state is continuously overproof, the link state needs to be updated; if the current link state is recovered after exceeding the standard and the alarm link state is continuously exceeding the standard, the link state needs to be updated; these three requests require a warning flash.

If the current link state is continuously overproof and the alarm link state is recovered after overproof, the link state needs to be updated without alarm flashing

Firstly, judging whether a link needs to flicker, if so, setting the link state as flicker, and then enabling the link on the topology to flicker continuously to prompt a user that the flow exceeds the standard; if the link is set to be not flashing without flashing, the flashing of the link which is originally flashing stops, the recovery of the exceeding standard of the flow of the user is prompted, and then the processing is finished

The traffic alarm prompt can be visualized on network topology, and the link which generates the traffic alarm has corresponding color flicker change, namely, the link flickers only when the traffic in any input/output direction exceeds the standard, and the link flickers after the input/output traffic is recovered to be normal.

And S150, performing visual flow alarm prompt on the alarm popup window according to the analysis result.

In an embodiment, the step S150 may include:

Specifically, after a server calculates a link flow alarm, the server actively pushes flow alarm information to a terminal; after receiving the traffic alarm information actively pushed by the server, the terminal acquires the alarm type in the traffic alarm information; the terminal judges the acquired alarm type, judges whether the flow type is selected in the flow pushing configuration, and if not, ends the processing; if yes, the terminal judges whether the acquired flow alarm is in a flow continuous standard exceeding state or not, and if yes, the specific content of the flow alarm is analyzed; displaying the alarm information in a real-time alarm frame in a form of a list; judging whether to check the automatic pop-up real-time alarm window, if so, popping up the real-time alarm window, and if not, ending the processing;

in addition, the real-time alarm window is popped up and displayed in the middle, and meanwhile, the hierarchy is positioned at the topmost layer.

If the flow does not continuously exceed the standard, the terminal judges whether the acquired flow alarm is recovered after the flow exceeds the standard, if the flow exceeds the standard, the terminal analyzes the specific content of the flow alarm, and if the flow does not exceed the standard, the terminal ends the processing.

In one embodiment, the related information in the real-time alarm window may be integrated into a real-time alarm list dialog box, in which the alarm information is displayed, and the flow alarm is displayed in the input/output direction.

The processing process of the traffic alarm visualization is mainly embodied in real-time traffic change on network topology, and has obvious color change and flicker; when the flow alarm occurs, a popup window prompt is given, the popup window is displayed in the middle of the whole desktop after popping up and is positioned at the topmost layer of the display level, and the highlighting effect is achieved.

According to the flow alarm monitoring method, alarm definition of input quantity and output flow is carried out according to user requests, alarm monitoring self-defining is carried out on the utilization rate of bandwidth, duration and monitoring time period, alarm analysis is carried out on the collected information based on all flow data information collected by a NetFlow, CFlow and NetStream network flow collection protocol, and visual flow alarm prompt is carried out on a network topology and an alarm popup window, so that flow monitoring suitable for a large-scale network is realized, the deployment cost is low, the flow alarm prompt can be visualized on the network topology, a link with flow alarm has corresponding color flicker change, and the alarm popup window prompt is carried out.

Fig. 3 is a schematic block diagram of a flow alarm monitoring device 300 according to an embodiment of the present invention. As shown in fig. 3, the present invention also provides a traffic alarm monitoring device 300 corresponding to the above traffic alarm monitoring method. The traffic alarm monitoring device 300 includes means for performing the above-described traffic alarm monitoring method, and the device may be configured in a server. Specifically, referring to fig. 3, the traffic alarm monitoring apparatus 300 includes a request obtaining unit 301, a defining unit 302, an analyzing unit 303, a topology displaying unit 304, and a pop-up window displaying unit 305.

A request acquiring unit 301, configured to acquire a user request; a defining unit 302, configured to perform traffic alarm definition according to the user request; the analysis unit 303 is configured to read all traffic data information acquired based on a network flow acquisition protocol, and perform alarm analysis on all traffic data information to obtain an analysis result; a topology display unit 304, configured to perform a visual traffic alarm prompt on a network topology according to the analysis result; and the pop window display unit 305 is configured to perform visual flow alarm prompting on the alarm pop window according to the analysis result.

In one embodiment, the definition unit 302 includes a configuration subunit and an alarm definition subunit.

The configuration subunit is used for carrying out flow alarm configuration according to the user request so as to obtain a configuration label;

and the alarm definition subunit is used for defining alarm monitoring on the traffic corresponding to the configuration label based on the bandwidth utilization rate, the duration and the monitoring time interval.

In one embodiment, the configuration subunit includes an input judgment module, an input configuration judgment module, an input query module, an input formatting module, an input tag setting module, an input parsing module, an output configuration judgment module, an output query module, an output formatting module, an output tag setting module, and an output parsing module.

The input judgment module is used for judging whether the user request is the alarm configuration of the input flow; the input configuration judging module is used for judging whether input flow alarm configuration corresponding to a port exists or not if the user request is the alarm configuration of input flow; the input query module is used for querying the existing input flow alarm configuration of the corresponding port and caching the existing input flow alarm configuration of the corresponding port if the input flow alarm configuration corresponding to the existing port exists; the input formatting module is used for formatting and fusing input flow alarm configuration corresponding to the user request to obtain input configuration; the input label setting module is used for printing a corresponding label on the input configuration to obtain a configuration label; the input analysis module is used for analyzing the user request to obtain input flow alarm configuration corresponding to the user request and executing formatting and fusion of the input flow alarm configuration corresponding to the user request to obtain input configuration if the input flow alarm configuration corresponding to the port does not exist; the output configuration judging module is used for judging whether the user request is the alarm configuration of the output flow or not if the user request is not the alarm configuration of the input flow; the output query module is used for querying the existing output flow alarm configuration of the corresponding port and caching the existing output flow alarm configuration of the corresponding port if the user request is the alarm configuration of the output flow; the output formatting module is used for formatting and fusing output flow alarm configuration corresponding to the user request to obtain output configuration; the output label setting module is used for printing a corresponding label on the output configuration to obtain a configuration label; and the output analysis module is used for analyzing the user request to obtain the output flow alarm configuration corresponding to the user request and executing the formatting and fusion of the output flow alarm configuration corresponding to the user request to obtain the output configuration if the output flow alarm configuration corresponding to the port does not exist.

In an embodiment, the alarm definition subunit includes an empty configuration determining module, a bandwidth caching module, a time determining module, a time caching module, a time period determining module, a time period caching module, and a storage module.

The empty configuration judging module is used for judging whether the flow alarm configuration corresponding to the configuration label is empty or not; the bandwidth judging module is used for judging whether the traffic alarm configuration corresponding to the configuration label contains the configuration of the bandwidth utilization rate or not if the traffic alarm configuration corresponding to the configuration label is not empty; a bandwidth caching module, configured to cache bandwidth utilization configuration if the traffic alarm configuration corresponding to the configuration tag includes configuration of bandwidth utilization; the time judgment module is used for judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the duration time or not; the time caching module is used for caching the duration configuration if the flow alarm configuration corresponding to the configuration tag contains the configuration of the duration; the time interval judging module is used for judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the monitoring time interval; a time interval caching module, configured to cache the monitoring time interval configuration if the traffic alarm configuration corresponding to the configuration tag includes the configuration of the monitoring time interval; and the storage module is used for carrying out persistent storage on the flow alarm configuration corresponding to the configuration label.

In one embodiment, the analysis unit 303 includes an information reading subunit, a time range judging subunit, a bandwidth limit value judging subunit, a non-exceeding setting subunit, an updating subunit, a time stamp judging subunit, a zero setting subunit, a sustained exceeding setting subunit, and a exceeding setting subunit.

The information reading subunit is used for reading all the flow data information acquired based on the network flow acquisition protocol; the time range judging subunit is used for judging whether the port corresponding to the read flow data information is in the monitoring time range; a bandwidth limit value judging subunit, configured to judge whether the traffic in the current time period exceeds the bandwidth limit value if the port corresponding to the read traffic data information is within the monitoring time range; the non-exceeding setting subunit is used for setting the flow state as the current flow is not exceeding the limit value of the bandwidth if the flow in the current time period is not exceeding the limit value of the bandwidth, so as to obtain an analysis result; the updating subunit is used for updating the time stamp which continuously exceeds the limited value of the bandwidth if the flow in the current time period exceeds the limited value of the bandwidth; the time mark judging subunit is used for judging whether the time mark exceeds a duration time limit value or not; the zero setting subunit is used for setting the time mark to be zero if the time mark exceeds a duration limited value; the continuous exceeding setting subunit is used for setting the flow state as the continuous exceeding of the flow so as to obtain an analysis result; and the exceeding setting subunit is used for setting the flow state as the current flow exceeding to obtain an analysis result if the time mark does not exceed the duration limit value.

In an embodiment, the topology displaying unit includes a pushing subunit, a judging subunit, a flicker setting subunit, and a non-flicker setting subunit.

The pushing subunit is used for pushing the link information with the flow alarm to the terminal so that the terminal can obtain the link state of the link information with the flow alarm, the terminal judges whether the link state is the flow continuous standard exceeding, and if the link state is the flow continuous standard exceeding, the terminal judges whether the link state is recovered after the flow exceeds the standard; the judging subunit is used for searching a link corresponding to the alarm on the network topology if the link state is recovered after the flow exceeds the standard, searching a link corresponding to the alarm on the network topology through the attribute of the alarm link, judging whether the corresponding link can be searched on the network topology, if the corresponding link is searched on the network topology, sending the searched link state to the terminal so that the terminal judges whether the link state needs to be updated, and if the link state needs to be updated, judging whether the link needs to be flashed by the alarm; the flicker setting subunit is used for setting the link state as flicker on the network topology if the link needs to be subjected to alarm flicker; and the non-flicker setting subunit is used for setting the link state as non-flicker on the network topology if the link does not need to be subjected to alarm flicker.

In an embodiment, the pop-up window display unit 305 is configured to push traffic alarm information to a terminal according to the analysis result, so that the terminal can obtain the alarm type in the traffic alarm information and judge whether the alarm type is selected in the traffic push configuration, if the alarm type is selected in the traffic push configuration, judging whether the flow alarm information is that the flow continuously exceeds the standard or not, if so, judging whether the flow alarm information is recovered after the flow exceeds the standard, if so, analyzing the flow alarm information to obtain specific content, and displaying the specific content in the real-time alarm frame in a list form, judging whether to check the automatic popup real-time alarm window, and if so, displaying the real-time alarm frame in a popup mode.

It should be noted that, as can be clearly understood by those skilled in the art, the specific implementation processes of the flow alarm monitoring device 300 and each unit may refer to the corresponding descriptions in the foregoing method embodiments, and for convenience and brevity of description, no further description is provided herein.

The flow alarm monitoring device 300 may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 4.

Referring to fig. 4, fig. 4 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, wherein the server may be an independent server or a server cluster composed of a plurality of servers.

Referring to fig. 4, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.

The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a flow alarm monitoring method.

The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.

The internal memory 504 provides an environment for the operation of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be enabled to perform a flow alarm monitoring method.

The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 4 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation of the computer device 500 to which the present application may be applied, and that a particular computer device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:

acquiring a user request; performing alarm definition of flow according to the user request; reading all traffic data information acquired based on a network flow acquisition protocol, and performing alarm analysis on all traffic data information to obtain an analysis result; performing visual traffic alarm prompt on the network topology according to the analysis result; and carrying out visual flow alarm prompt on an alarm popup window according to the analysis result.

In an embodiment, when implementing the step of defining the traffic alarm according to the user request, the processor 502 specifically implements the following steps:

carrying out flow alarm configuration according to the user request to obtain a configuration label; and defining the alarm monitoring of the flow corresponding to the configuration label based on the bandwidth utilization rate, the duration and the monitoring time period.

In an embodiment, when implementing the step of performing traffic alarm configuration according to the user request to obtain the configuration tag, the processor 502 specifically implements the following steps:

judging whether the user request is the alarm configuration of input flow; if the user request is the alarm configuration of the input flow, judging whether the input flow alarm configuration corresponding to the port exists; if the input flow alarm configuration corresponding to the existing port exists, inquiring the existing input flow alarm configuration of the corresponding port, and caching the existing input flow alarm configuration of the corresponding port; formatting and fusing input flow alarm configuration corresponding to the user request to obtain input configuration; marking the input configuration with a corresponding label to obtain a configuration label; if the input flow alarm configuration corresponding to the port does not exist, analyzing the user request to obtain the input flow alarm configuration corresponding to the user request, and executing formatting and fusion of the input flow alarm configuration corresponding to the user request to obtain the input configuration; if the user request is not the alarm configuration of the input flow, judging whether the user request is the alarm configuration of the output flow; if the user request is the alarm configuration of the output flow, inquiring the existing output flow alarm configuration of the corresponding port, and caching the existing output flow alarm configuration of the corresponding port; formatting and fusing output flow alarm configuration corresponding to the user request to obtain output configuration; marking the output configuration with a corresponding label to obtain a configuration label; and if the output flow alarm configuration corresponding to the port does not exist, analyzing the user request to obtain the output flow alarm configuration corresponding to the user request, and executing formatting and fusion of the output flow alarm configuration corresponding to the user request to obtain the output configuration.

In an embodiment, when implementing the step of defining the alarm monitoring for the traffic corresponding to the configuration tag based on the bandwidth utilization, the duration, and the monitoring period, the processor 502 specifically implements the following steps:

judging whether the flow alarm configuration corresponding to the configuration label is empty or not; if the traffic alarm configuration corresponding to the configuration tag is not empty, judging whether the traffic alarm configuration corresponding to the configuration tag contains the configuration of the bandwidth utilization rate; if the flow alarm configuration corresponding to the configuration label comprises the configuration of the bandwidth utilization rate, caching the bandwidth utilization rate configuration; judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the duration time or not; if the flow alarm configuration corresponding to the configuration label contains the configuration of the duration, caching the configuration of the duration; judging whether the flow alarm configuration corresponding to the configuration label contains the configuration of the monitoring time period or not; if the flow alarm configuration corresponding to the configuration tag contains the configuration of the monitoring time period, caching the configuration of the monitoring time period; and performing persistent storage on the flow alarm configuration corresponding to the configuration label.

In an embodiment, when the processor 502 implements the steps of reading all traffic data information acquired based on the network flow acquisition protocol, and performing alarm analysis on all traffic data information to obtain an analysis result, the following steps are specifically implemented:

reading all flow data information acquired based on a network flow acquisition protocol; judging whether a port corresponding to the read flow data information is in a monitoring time range or not; if the port corresponding to the read flow data information is in the monitoring time range, judging whether the flow in the current time period exceeds the limit value of the bandwidth; if the flow in the current time period does not exceed the limit value of the bandwidth, setting the flow state as that the current flow does not exceed the standard so as to obtain an analysis result; if the flow in the current time period exceeds the limited value of the bandwidth, updating the time mark which continuously exceeds the limited value of the bandwidth; judging whether the time mark exceeds a duration limit value or not; if the time mark exceeds the duration limit value, setting the time mark to be zero; setting the flow state as the continuous exceeding of the flow to obtain an analysis result; and if the time mark does not exceed the duration limit value, setting the flow state as the current flow exceeding to obtain an analysis result.

In an embodiment, when implementing the step of performing visual traffic alarm prompting on the network topology according to the analysis result, the processor 502 specifically implements the following steps:

the link information with the flow alarm is pushed to the terminal, so that the terminal obtains the link state of the link information with the flow alarm, the terminal judges whether the link state is the flow continuous standard exceeding, and if the link state is the flow continuous standard exceeding, the terminal judges whether the link state is recovered after the flow exceeds the standard; if the link state is recovered after the flow exceeds the standard, searching a link corresponding to the alarm on the network topology, searching a link corresponding to the network topology through the attribute of the alarm link, judging whether the corresponding link can be searched on the network topology, if so, sending the searched link state to the terminal so that the terminal judges whether the link state needs to be updated, and if so, judging whether the link needs to be flashed by the alarm; if the link needs to alarm and flash, setting the link state as flashing on the network topology; and if the link does not need to be alarmed and flickered, setting the link state as non-flickering on the network topology.

In an embodiment, when implementing the step of performing visual traffic alarm prompting on the alarm popup according to the analysis result, the processor 502 specifically implements the following steps:

It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.

Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:

In an embodiment, when the processor executes the computer program to implement the step of defining the traffic alarm according to the user request, the following steps are specifically implemented:

In an embodiment, when the processor executes the computer program to implement the step of performing traffic alarm configuration according to the user request to obtain a configuration tag, the following steps are specifically implemented:

In an embodiment, when the processor executes the computer program to implement the step of defining the alarm monitoring for the traffic corresponding to the configuration tag based on the bandwidth utilization, the duration, and the monitoring period, the following steps are specifically implemented:

In an embodiment, when the processor executes the computer program to read all traffic data information acquired based on a network flow acquisition protocol and perform alarm analysis on all traffic data information to obtain an analysis result, the following steps are specifically implemented:

In an embodiment, when the processor executes the computer program to implement the step of performing visual traffic alarm prompting on the network topology according to the analysis result, the following steps are specifically implemented:

pushing the link information with the flow alarm to a terminal so that the terminal can obtain the link state of the link information with the flow alarm, judging whether the link state exceeds the standard continuously or not by the terminal, and if the link state exceeds the standard continuously, judging whether the link state exceeds the standard continuously or not and then recovering; if the link state is recovered after the flow exceeds the standard, searching a link corresponding to the alarm on the network topology, searching a link corresponding to the network topology through the attribute of the alarm link, judging whether the corresponding link can be searched on the network topology, if so, sending the searched link state to the terminal so that the terminal judges whether the link state needs to be updated, and if so, judging whether the link needs to be flashed by the alarm; if the link needs to alarm and flash, setting the link state as flashing on the network topology; and if the link does not need to be alarmed and flickered, setting the link state as non-flickering on the network topology.

In an embodiment, when the processor executes the computer program to implement the step of performing visual traffic alarm prompting on an alarm popup according to the analysis result, the following steps are specifically implemented:

and pushing flow alarm information to the terminal according to the analysis result so that the terminal acquires the alarm type in the flow alarm information, judging whether the alarm type is checked in the flow push configuration, if so, judging whether the flow alarm information is in a flow continuous standard exceeding state, if so, judging whether the flow alarm information is in a flow standard exceeding state, recovering the flow alarm information after exceeding the flow standard exceeding state, if so, analyzing the flow alarm information to obtain specific contents, displaying the specific contents in a real-time alarm frame in a list form, judging whether the real-time alarm window is checked and popped up automatically, and if the real-time alarm window is checked and popped up automatically, popping up the real-time alarm frame in a window for display.

The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.

The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.

While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. The flow alarm monitoring method is characterized by comprising the following steps:

acquiring a user request;

performing alarm definition of flow according to the user request;

performing visual flow alarm prompt on an alarm popup window according to the analysis result;

the performing of the visual traffic alarm prompt on the network topology according to the analysis result includes:

2. The traffic alarm monitoring method according to claim 1, wherein the defining of the traffic alarm according to the user request comprises:

3. The traffic alarm monitoring method according to claim 2, wherein the performing traffic alarm configuration according to the user request to obtain a configuration tag comprises:

judging whether the user request is the alarm configuration of input flow;

4. The traffic alarm monitoring method according to claim 3, wherein the defining of alarm monitoring on the traffic corresponding to the configuration tag based on bandwidth utilization, duration and monitoring period comprises:

5. The traffic alarm monitoring method according to claim 1, wherein the reading all traffic data information collected based on the network flow collection protocol and performing alarm analysis on all traffic data information to obtain an analysis result comprises:

judging whether the time mark exceeds a duration limit value or not;

if the time stamp exceeds the duration limit value, setting the time stamp to be zero;

if the time mark does not exceed the duration limit value, setting the flow state as the current flow exceeding the standard so as to obtain an analysis result.

6. The traffic alarm monitoring method according to claim 1, wherein the performing of the visual traffic alarm prompt on the alarm pop according to the analysis result comprises:

7. Flow alarm monitoring devices, its characterized in that includes:

a request acquisition unit for acquiring a user request;

the popup display unit is used for carrying out visual flow alarm prompt on the alarm popup according to the analysis result;

pushing the link information with the flow alarm to a terminal so that the terminal can obtain the link state of the link information with the flow alarm, judging whether the link state exceeds the standard continuously or not by the terminal, and if the link state exceeds the standard continuously, judging whether the link state exceeds the standard continuously or not and then recovering;

8. A computer device, characterized in that the computer device comprises a memory, on which a computer program is stored, and a processor, which when executing the computer program implements the method according to any of claims 1 to 6.

9. A storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 6.