万兆网络数据包捕获系统地研究和开发.doc

摘 要 随着计算机网络宽带的迅速发展，作为网络安全基础的网络数据包捕获系统的性 能瓶颈日益凸显。一方面，网络带宽目前已发展到万兆宽带，网络系统性能的瓶颈从 网络传输转向了网络处理。另一方面，传统的数据包捕获系统，主机消耗大量的 CPU 资源用以分析处理捕获的网络数据包，系统开销大。因此，本文设计了适用于万兆以 太网的数据包捕获系统，该系统设计的硬件电路除可基于定制规则来捕获数据包，还 可实现数据包的协议分析、内容匹配功能。 本文先简述当前数据包捕获系统，以及相关关键技术，分析其在高速网络应用中 的某些不足，并提出一种新的系统架构，改进硬件的功能以提升捕获系统的性能。该 硬件系统包含三方面的内容：一，本文提出一种基于缓存的快速协议分析算法，可根 据构建的分组查询表依次分析数据包的协议头，记录相关分析结果；二，提出一种多 字节的并行匹配算法，它利用硬件的并行特性，构建待匹配的多字节模式链，将数据 并行地送入匹配链，进行流水线的匹配，此算法改进了单字节的匹配算法，可用于多 模式多字节的内容匹配以满足系统带宽要求；三，在协议分析和内容匹配的基础上， 创建了一种基于规则组合的捕获机制，该机制集成六类规则，实现了基于规则表组合 的捕获功能，达到了准确捕获定制数据包的效果。 最后，本文综合上述算法，并在 FPGA 中成功实现。在完成研究、设计和实现的 基础上，本文还对数据包捕获系统的功能、性能进行了验证测试，结果达到预期目标。 关键词: 万兆以太网, 数据包捕获, 协议分析, 内容匹配, 规则组合, 捕获机制 I Abstract With the rapid development of Internet, the bottleneck of the network packet capture system which is base of network security has become more and more obvious. On the one hand, network bandwidth has been developed to gigabit network and the bottleneck of network has not been network transmission, but network processing. On the other hand, a large amount of CPU resources are consumed to capture network packet with the traditional packet capture system, and this has resulted in low efficiency. Thereby, the thesis mainly focuses on the new system of packet capture, which is designed for 10 gigabit network. The new system not only can handle 10 gigabit wire-speed data, but also can analysis network packets protocols and filter the keywords of the packets. Firstly, this thesis proposes a new hardware architecture of network packet capture system, the function of the framework can not only process data with wire-speed, but also can filter invalid garbage data, greatly enhances the efficiency of data capture. Meanwhile, according to the characteristics of network packet protocols, a fast new protocols identification algorithm based on cache is presented, which allows packets to enter cache for identifying the packet head protocols with pipeline, a