1. GITHUB路径
https://github.com/MiterV1/dpdk-hyperscan
1.如何实现端口过滤
2.如何实现协议过滤
dpdk收包
nb_rx = rte_eth_rx_burst(portid, 0, pkts_burst, MAX_PKT_BURST); 解析包的五元组 l2fwd_parse_ipv4_5tuple(m, &tuple); 判断五元组中port与协议与给定值是否相同
if (tuple.port_src == get_ui_port_filter_src_port() || tuple.port_dst == get_ui_port_filter_dst_port()) {
dump_pcap_write(dump_fd, m);
continue;
}
if (tuple.proto == proto) {
dump_pcap_write(dump_fd, m);
continue;
}
相同则将包数据写到pcap文件中
3.如何实现应用过滤
先计算五元组的hash值,先在hash表中查看是否包含该hash项
如果有该hash项则说明为某条应用流,直接dump到pcap文件
m_data.hash = rte_hash_hash(m_data.handle, &tuple);
m_data.tuple = &tuple;
int ret = rte_hash_lookup_with_hash(m_data.handle, &tuple, m_data.hash);
if (ret > 0) {
dump_pcap_write(dump_fd, m);
如果在hash表中未找到该hash项,那么说明需要对该数据包进行匹配,使用hyperscan提取其中的特征信息
if (hs_scan_stream(g_streams[m_data.hash % 4096], rte_pktmbuf_mtod(m, char *),
rte_pktmbuf_data_len(m), 0, g_scratch, eventHandler, &m_data) != HS_SUCCESS) {
fprintf(stderr, "hs_scan_stream error.\n");
}
调用scan_stream函数对数据包匹配之前编译的规则信息,如果匹配成功则调用eventHandler函数
该函数将添加该流信息到流表中,用于后续的流表匹配
static int eventHandler(unsigned int id, unsigned long long from,
unsigned long long to, unsigned int flags, void *ctx)
{
printf("Match for pattern \"%d\" at offset %llu\n", id, to);
struct matched_data *mdata = (struct matched_data *)ctx;
rte_hash_add_key_with_hash(mdata->handle, mdata->tuple, mdata->hash);
return 0;
}
4. GTK3.0 GUI界面
使用GTK3.0添加前端界面与后端程序进行交互,效果如图所示:
4. 源码安装相关
工程目录如下所示:
dpdk hyperscan l2fwd-hyperscan
1. 安装hyperscan
sudo apt-get install cmake
sudo apt-get install libboost-all-dev
sudo apt-get install ragel
sudo apt-get install libpcap-dev
sudo apt-get install sqlite3
cmake CMakeLists.txt
make
2. 安装并编译DPDK
3. 绑定网卡
4. 编译工具
export RTE_SDK=你的DPDK路径到x86_64-native-linuxapp-gcc级别:例如/home/user/work/dpdk/x86_64-native-linuxapp-gcc
export HYPERSCAN_SDK=你的hyperscan路径:例如/home/user/work/hyperscan
cd l2fwd-hyperscan
cd src
make
5. 启动工具
cd ../
./l2fwd-hyperscan -c 1 -n 1 -- -p 1
