Design network billing system with VXD technology

Hangzhou Business School Campus Network Network Billing System

- Design and implementation of billing information acquisition subsystem

Li Zhuangxiang

[Abstract] This article gives a Web-based, cross-platform campus network billing system preliminary design and implementation, and gives a description of the module structure and function of the system, and discusses the accounting information acquisition in detail. Analysis, design and implementation of system (underlying data packet interception and its interface).

[Key words] billing system, underlying data packet interception, TCP / IP, FTP, data packet, shared media information traffic, virtual equipment, VXD technology, data acquisition, data control

I. Introduction

The Internet is convenient, fast, and low cost, and can achieve many advantages such as resource sharing. At present, our hospital has passed the national textbooks to the Internet, giving our teaching, scientific research, and does not evade the billing of Internet services. Although the current network has greatly improved, with the rapid increase in the number of network users and the increase in transmission (such as pictures and multimedia materials are increasingly common), the network bandwidth is still very nervous. On the one hand, on the one hand, the network can maintain the operation and development of the network, and the user can also use the network resources to reasonably use the network resources. Due to the diversity of the network structure and the complexity of the billing rules, we analyze the characteristics of our campus network, and propose a design and implementation of a campus network on the hardware and software of the campus network.

As the basis of the billing information system, the interception of billing information is the core key part of the system, the analysis, design and implementation of quality directly affect the design and implementation of the system and the network charging management of campus network, this article This explore and discuss this.

Second, system design and analysis

International, billing management is responsible for monitoring and recording users of network resources and assigning network operating costs. Its main functions are:

Data acquisition (including simple statistical functions), that is, collected raw data from a device (such as billing router), after a simple statistics, put it into the database. Simple statistics on data acquisition is necessary. One reason is that the original data is very large. If all records, the database is often insufficient; the other is a very time time for the query statistics of the original data, so it is necessary to simply statistics on data acquisition. Data statistics, that is, further statistics on the data in the database, such as traffic statistics on an IP address interval of a certain time period. Flow analysis, that is, combining traffic data in the database and other relevant information, the flow is analyzed. Such as illegal user traffic, access traffic for sensitive sites, etc. The billing information query, that is, according to the query requirements raised by the user management module, through the permission check, according to the user type, according to the user type, the corresponding query results are obtained from the data statistics and traffic analysis modules. Report generation, that is, based on traffic data and toll planning, calculate the user-should pay, and generate a report. The maintenance of billing planning, that is, modify various billing parameters, such as unit prices, free network segment settings, etc.

The backbone of our school's campus network uses the network structure of high-speed non-shared media, but the interconnection of various departments in the hospital relies on shared media, so our campus network billing system is built on this "gateway".

In the shared media network, any packets flowing through this network can be intercepted by any host of this network segment. Therefore, the network billing system is designed on a network segment interconnected with the outside world, all of the departments and the outside of the campus can be statistics.

Overall, our network billing system is divided into three parts. First, the thread on the Win32 platform is intercepted by the packet, and the initial finishing, generates the log file, and adds appropriate control, this is a low layer Server, as a front desk; and later is the database management on Windows NT Server, developed with Borland Delphi 4.0, directly acquires the log file generated by the first part intercepting the program and generated the log file generated by other services on the Linux server via FTP. To analyze, effective data information is statistically active, and is previously driven in BDE. The third is the billing information user to query the subsystem, so that users can pass the permission to query the billing information and fees in each time period, which is conducive to mitigating the work burden of network administrators. Details are as follows:

(1) The Internet uses the TCP / IP protocol, so the process on the Win32 platform can analyze the accounting information required for all IP packets. For statistics, the following cases are divided into the following: FTP: Another upload and download, downloaded data newspaper information is not included in the statistical scope, the upload is required; UDP: DIS information requires statistics; dial-up: You can generate on the router The log file is analyzed; email: You can also count the log file left by the Nescape mail server on Windows NT Server, without the interception of datagrams; (2), the background database information management is managed by Delphi The system collects the above data information, and the information of FTP, UDP, dial-up Internet, and email is again organized, analyzed, and counting the necessary data exists in the database, and the departments of campus network services can be used to check their fees. Use. (3), billing information users queries subsystems, users are accessed by page browsers, submitting requests to feedback the user's cost of using campus Net Letter. The Subsystem is queried by the rations (such as identity authentication) and query criteria querying the data of the database, and outputs information about the user's needs.

System charging basis

For information on network billing, the most fundamental is IP address, network traffic, and time period. Therefore, the billing basis for the system is the address and traffic of IP, and there is a time period statogram, and this information is used as a charging rule.

(1) The IP address is distinguished from the inside and offices, domestic and foreign countries. Since the network address management of the Internet is divided, as long as it can be managed on which level is affiliated; (ii), IP traffic is distinguished from domestic and foreign data traffic; ㈢, time period For users who dial-up nets, Different time periods have different charging rules; ㈣, special school sectors have their corresponding billing basis.

Third, the analysis and design of the billing information acquisition subsystem (underlying data report interception and its interface)

3.1 About VXD Technology 1 Why use VXD technology to reduce the burden on the server, and the backbone of our school's campus network uses the network structure of high-speed non-shared media, but the interconnection of various departments and the outside world relies on this feature A separate computer can be used to deal with billing work to achieve this. The operating system of this server can be Linux or Win32, but Win32 has an easy-to-operate and visualization advantage. Although the Win32 platform does not support direct access to the equipment, VXD technology can be used to implement this feature. 2 Key Technologies for VXD Applications on NIC A. Load VXD #include

Handle hvxd;

hvxd = CREATEFILE (".// vpacket.vxd",

Generic_read | generic_write, 0,

NULL,

Open_EXISTING,

File_attribute_normal | file_flag_overlapped | file_flag_delete_on_close, null);

IF (hvxd == invalid_handle_value)

Return Syserr;

B. Release VXD

CloseHandle (HVXD);

C. Bind VXD to the network interface card

Int bind (Handle Hvxd, Byte * Inbuffer)

{

Handle HEVENT;

DWORD CBRET;

Overlapped OVLP = {0,0,0,0,0};

Int result;

INT cbin = 5;

HEVENT = CREATEEVENT (0, True, 0, NULL);

IF (! hever)

Return Syserr;

OVLP.HEVENT = HEVENT; / / DEVICEIOCONTROL function directly sends a control code to the specified device to prompt the corresponding device to perform the specified operation

Result = DeviceioControl (HVXD,

IOCTL_PROTOCOL_BIND,

Inbuffer,

Cbin,

Inbuffer,

Cbin,

& cbret,

& ovlp);

IF (! result)

GetoverlappedResult (hvxd,

& ovlp,

& cbret,

True);

CloseHandle (HEVENT);

Return OK;

}

D. Read the packet

Int rcvpacket (Handle HVXD, BYTE * BUFFER, DWORD CBIN)

{

Handle HEVENT;

DWORD CBRET = 0;

Overlapped OVLP = {0,0,0,0,0};

Int result;

HEVENT = CREATEEVENT (0, True, 0, NULL);

IF (! hever)

Return Syserr;

Ovlp.hevent = hEvent;

Result = DeviceioControl (HVXD,

IOCTL_PROTOCOL_READ,

Buffer,

Cbin,

Buffer,

Cbin,

& cbret,

& ovlp);

IF (! result)

GetoverlappedResult (hvxd,

& ovlp,

& cbret,

True);

CloseHandle (HEVENT);

Return CBRET;

}

E. Send packet

Similar to IOCTL_PROTOCOL_READ, the parameter is IOCTL_PROTOCOL_WRITE

3.2 Analysis and Design of Intercepting Parts

Since the campus network network billing system is divided into three parts, the underlying data packet is used to provide the information basis for billing management, so we must first start from related network knowledge.

In a computer network architecture, although the TCP / IP architecture is not an international standard, it has a very important position. The world's first group switched network is the US military experimental network ARPANET, and its architecture also uses a hierarchical structure. At the beginning, ArpaNet has now developed into the world's largest computer network Internet, ie Internet. Among the protocols used in the Internet, the most famous is the TCP transmission control protocol of the transportation layer and the IP interconnection network protocol of the network layer. The TCP / IP architecture has become a factual international standard for computer networks, also known as industrial standards. Also because the Internet uses the TCP / IP protocol (Transmission Control Protocol and Interoperab Protocol), any data packets flowing through the shared media follows the protocol, so the data reciprocal process module on the Win32 operating system platform is only intercepted. All TCP / IP datagrams, the necessary billing data information required from their packets can be analyzed. For the billing information of the network billing system, the most fundamental is the source IP address, destination IP address, source port, destination port, TCP / IP data packet length, and message stream pass through the shared media network segment. time. The acquisition of this information is to use the TCP / IP protocol to perform the corresponding processing. Therefore, the acquisition of the network billing system is based on the source, destination address, source, destination port, and TCP / IP data packet length, and the time of the information flowing through this important information.

The first is to analyze the two most important protocols in the TCP / IP network system - the data packet format of the Internet Protocol IP and Transmission Control Protocol starts, and extract data valid for billing management in the most basic field information of the protocol packet. in accordance with.

The TCP / IP packet format is described in detail below.

The format of the IP data report segment is shown below:

The meaning of several important fields in the first part is:

The total length accounted for 16bit, refers to the length of the sum of the data, the unit is byte, and is called traffic in this article, the maximum length of the data packet is 65535 bytes, which is currently enough protocol accounting for 8BIT. It means that the transportation layer data carried by this data message is to use the protocol, so that the IP layer of the host is known to give this data packet which process, the commonly used protocol and the corresponding protocol field value are: UDP (17), TCP (6), ICMP (1), GCP (3), EGP (8), IGP (9)  SPF (89) and ISO TP4 (29) source site IP address accounts for 32bit, data packet The transmitted host address destination site IP address accounts for data information carried by host address data data transmitted by data packets.

The format of the corresponding TCP data report segment is as follows:

The meaning of the first important field is:

Port TCP uses port (port) to address. There are often multiple processes in the host to run, which processes are in progress, and must set some ports on the transportation layer, and a port is a 16bit address. For some common application layer services, each has a corresponding port number, which is known as the WellkNown Port, and the value is 0 ~ 255. Commonly used familiar ports include: FTP (File Transfer Protocol) 21, Telnet 23, SMTP (Simple Mail Transfer Protocol) 25, WWW (World Wide Web) 80, POP3 (Post Office Protocol) 110, etc.

From the first format of the two data packets, the necessary information extracted will be performed on the intercepted TCP / IP datagram, that is, the total length, protocol, source site IP address, destination site IP address, source port, destination port. Several fields are separated from the data packets, plus the system time when the real-time interception can constitute a more complete billing information record, but the record is further filtered, only the source site IP address and The destination site IP address is one of the two IP addresses in the hospital, and it can truly constitute a complete information record. The second is how to intercept TCP / IP data packets. Due to the real-time dynamics of the billing information, the advantages of the Win32 operating system, easy to operate and visualization, we decided to write the underlying datagram intercept module on the Win32 platform, but the Win32 system does not provide direct operation of the underlying device, so We use Win32 programming features, using virtual device drivers, so that the Win32 system controls the device as the operation of the file, (described in detail in detail) Any data packets flowing through the shared media network segment must also The device (NIC) will flow through a computer connected to the shared medium network, which can easily operate the device to easily manipulate all TCP / IP data packets. Also because the traffic flowing through the data packets flowing through the media network is unfair, the programming idea of ​​thread technology can better handle the traffic problem of data packets.

The third is that the underlying data packet intercepts and the interface of the server billing management section on Windows NT Server is communicated by generating a log file that generates data packet traffic. The log file processing issues of TCP / IP data packets, that is, how to intercept valid billing information records, how to give a further data processing for management applications. Several important field information of the "total length, source site IP address, destination site IP address, source port, destination port" is separated, and there is a certain amount of system time to attach Separated as a record stored in a log file in the FTP service management path of the Windows NT Server system, or specified a path for the billing system service management on Windows NT Server Download Processing or Direct Copy. When the data processing module of the service management uses the FTP protocol, after downloading or copying the data packet traffic under the WIN32 operating system, processes unsatisfactory records: first resell each record, restore as billing information Several important fields, then import into the corresponding library table, simultaneously classify the port type, according to the IP address table to distinguish between the school, domestic, international international traffic and out of flow; then divide the time of the record, according to the charge Rule table, holiday fee form and flow calculate the corresponding day, monthly information costs (cost is accumulated), store the storage table, complete the data processing and billing function of the billing system.

As can be seen from the discussion, the core key part of the network bill management system is "Interception of Data Packets - Classification, Statistics, Summary Capital Information" two subsystems, the former makes full use of the characteristics and systems of Win32 operating system The interception of the core composite data packets, the latter uses database technology to system management of billing information, and the processing of the two is independent of each other, but at the same time, there is an inevitable connection. Although the query system is a separate module, it can be seen as part of the billing processing information.

The accounting information intercept subsystem, the detailed structure diagram of the subsystem module is shown below:

3.3 Principles of flow control and overall design

In any hierarchy of any network architecture, control is an essential function, but different levels have different control content, and there are different divisions between different levels. The IP layer is similar to the network layer in the OSI / ISO architecture in the TCP / IP architecture, and its control functions include: error control, congestion control, and path control. The IP layer is a crucial layer as a TCP / IP architecture, and its control functions are most complicated. The IP layer protocol ICMP is the main means of transferring network control information in TCP / IP. At the same time, ICMP also provides error reporting capabilities, which can take advantage of it to implement traffic control of campus network. As with other high-level protocol data, the ICMP packet is also encapsulated in the data section of the IP datagram, as shown.

IP Datasheet ICMP data package

The IP Datapher's Protocol field containing the ICMP packet indicates that the data area content is ICMP packet.

ICMP packets are also divided into two parts of the header and data area, which includes "type", "code", "and" checksum "three domains. The ICMP packet format is shown in the figure.

The "Type" domain is an integer of a byte, pointing that the type "code" field of ICMP packet is an integer of one byte, providing further information about the type of packet "checksum" domain a total of two bytes. Provide the checksum "data area" of the entire ICMP packet contains an error-reported datagram header and the data report 64 bit data.

The significance of the type domain is as follows:

We know that the main function of the gateway is to perform data reporting and forwarding the datagram, the gateway finding and forwarding the data newspaper is not always able to succeed. In the following cases, the gateway will find that the content of the content is not reachable: (1) The credit hardware is not running (such as fault, shutdown), (2) The reside address specified by the sender does not exist, the gateway does not know the path to the band. Once the above situation, the gateway will send "Subtsune" packets (as shown) to the Subtock, and discard the corresponding datagram.

ICMP "Reachailed" message format in which "Subtsuki is not reachable" is indicated by "Renewable" packets. The code domain can take 0-12 to 13 values, further subdivision, as shown in the table:

Analysis of the network architecture of our hospital, it is difficult to find that it is easy to implement traffic control based on shared media networks, as long as it is forged an ICMP package to reach interference. When receiving the IP packet (does not include ICMP itself), analyze if its IP address is valid, if it is invalid, then send an error control message (ICMP) to Subtsu. The speed of the local area network is much higher than the wide area network, so this error control message (ICMP) will definitely be much better than the correct information, causing the correct information to be discarded as invalid data, thereby achieving the purpose of interference. This is a key step. After experimental prove, the code value 0 and 1 can be used, because the so-called "Subcommit" four hierarchical concepts, from large to small sequential: network, host, protocol, port, so 1 Suitable.

Fourth, system structure and implementation

4.1 Structure of the system

The design of the campus network network billing system is based on the web, cross-platform, and the system structure is shown below:

4.2 Implementation of the system

The network billing system is divided into three major modules: Win32 platform intercepting the datagram and the database information management module on Windows NT Server 4.0 and the web information query module.

1. Sub-module for intercepting the datagram process on the Win32 platform: Reading thread: Responsible for intercepting a datagram flowing through the shared media and stores in a shared memory segment; writing thread: responsible for reading the datagram from shared memory segments, After preliminary sorting, write log files 2, the submodule of database information management on Windows NT: Analyze Statistics Module: Receive accounting information from the underlying interception, mail log, and dial-up network log on the mail server, At the same time, analyze, statistically effective billing data, as in the database; 3, web information query module: public gateway interface part: According to the user's request, extract the relevant charging information from the billing information database and return in HTML. Give the user; HTML FORM section: Users can access the page via the browser, submit the request feedback the user uses the campus network service fee. V. System realization of billing information interception subsystem

5.1 Implementation of billing information interception subsystem (underlying data packet interception)

Description of the Basic Data Structure Since the Win32's virtual device driver technology enables control of the device like a file, any data packets flowing through the shared media network segment will inevitably flow through a computer connected to the shared media network segment. Equipment (NIC), using the characteristics of the system WIN32 operating system to easily operate the device, intercept all TCP / IP data packets.

So the use of the system's include head file to define the data structure:

struct EtherAddr {unsigned char AddrByte [6];}; struct EtherPacketHead {struct EtherAddr DestEther; struct EtherAddr SourEther; unsigned short ServType;}; struct IPAddr {unsigned char AddrByte [4];}; struct IPPacketHead {BYTE VerHLen; BYTE Type; Word TTLLEN; Word ID; Word Flgoff; Byte Proto; Word Chksum; Struct iPaddr Sourip; Struct ipaddr destip;

Initialization Process Initializing the interface 1 of the NIC device, load the virtual driver Refer to 3.1 VXD technology 2. Bind the virtual driver to the device on the device (! This-> bind (hvxd, ndis) {showMessage ("Unable to bind network equipment (NIC) "); RETURN;};

The meaning of NDIS is the device name, generally 0000,000, etc.. In the Win32 registry, younger: hkey_local_machine / system / currentControlSet / Control / Net / 0000 (set up from setting up adapter)

Establish double thread

The reading thread is responsible for reading data packets on the network card device, and putting it into the buffer getipthread * getippacket = new getipthread (true); getippacket-> resume (); // Request synchronous write thread is responsible for reading data from the buffer Packets, and filtering the network protocol values ​​of the packets, only the packets of the protocol value are valid. And real-time display current status and other operations related to Windows. SaveInfo * SaveMemo = New SaveInfo (TRUE); SaveMemo-> Resume (); The code segment filtered in the program is as follows:

IF (formmain-> SWAPS) == Ether_PROTO_IP) // From Ethernet filter {... if (piphead-> proto == 6) // TCP (6) {... / / The protocol value is 6, that is, TCP data packets ...} ...

At the same time, it is also necessary to judge the destination port value. Generally, the Internet services are available with FTP (File Transfer Protocol) 21, Telnet (remote login) 23, SMTP (Simple Mail Wide Web) 80, POP3 (Post Office Agreement) 110.

Therefore, only the values ​​of these familiar ports are required: Switch (FormMain-> destport) {case 21: p = formmain-> port [0]; Break; // ftp (send command) Case 200: P = formmain-> port [9]; break; // ftp (send data) case 23: p = formmain-> port [1]; break; // telnet (remote login) Case 80: P = formmain-> Port [2]; Break; // Web (Internet) Case 8000: P = formmain-> port [3]; Break; // OICQ (8000) Case 6666: P = formmain-> port [4]; Break; // ICQ (6666) Case 139: P = Formmain-> Port [5]; Break; // neighbor (online neighbor - remote access) case 110: p = formmain-> port [6]; break; // POP3 Mail) Case 25: P = FormMain-> Port [7]; Break; // SMTP (send mail) case 443: p = formmain-> port [2]; Break; // PWS (Personal Web Server) Case 70: P = formmain-> port [8]; Break; // Gopher case 8080: p = formmain-> port [10]; break; // Hangzhou Business School Internal Network Case 1433: P = FormMain-> Port [12]; Break; // SQL Server Default: p = formmain-> port [11]; Break; // All IP packets}

When the data message is filtered, it can be obtained to obtain a valid billing basis information (source site IP address, source port, destination site IP address, destination port, message length, system interception time), and sub-process every 512 times Write into the log file (ipinfo.log). Exit

In order to maintain the security and stability of the system, the module exiting is a must-be processed one by one to the open file, the device, while saving unsaved billing information. For the log file record format, the following arranging: (source site IP address, source port, destination site IP address, destination port, packet length, system intercepter time).

The log file instance intercepted in the module is:

......210.33.89.106:1246:202.102.13.156:80:40:2000/5/2121.33.89.106:403:2003:40:1943:204.178.11216:204.178.11216:204.178.11216:204.178.1123:204.178.11216:204.178.1123:204.178.11216:204.178.1123:204.178.11216:204.178.1123:204.178.1123:204.178.1123:204.178.112.166:80:40:2000/5/21 210.33.89.105:1579:194.117.203.152: 80: 40: 2000/5/21 210.33.89.106:1246:202.102.13.156:80:102.13.156:80:10233.89.106:80:2003:89.106:1246:202.102.13.156:80:40:2000/5/21 ......

The data processing module in the billing processing section on Windows NT Server uses the log file through the FTP protocol, records analysis, classification, statistics, and summary, and finally obtains valid account management information, import the billing information database. This is the basic interface handling.

5.2 Design and Implementation of Traffic Control

Design and implementation

Create a legitimate user's database as follows:

Where Type is TRUE (ie, for a registered user), the TIME field and the DATE field are automatically invalid. Time is the remaining time of the card user, in hours, but accurate to second. Date is the validity period of the NIC, the NIC cannot permanently occupy the database, and the time in the DATE field is the time period in which the database is periodically cleared.

The detailed structural diagram of the charging information interception subsystem is as follows:

Basic data structure

Reference system's include head file to define data structure:

Struct icmppackethead {byte type; word chksum;

Initialization Procedure Refer to 3.2 Analysis and Design of Interceptive Parts

Establish double thread

The reading thread is responsible for reading data packets on NIC equipment, and putting it into buffer getipthread * getippacket = new getipthread (true); getippacket-> resume (); // request synchronization

The interference thread is responsible for reading data packets from the buffer, and filtering the network protocol value of the packets, only the packets at 6 when the protocol value is valid. And judgment invalid IP interference. SaveInfo * SaveMemo = New SaveInfo (TRUE); SaveMemo-> Resume ();

The code segment of filtration and interference in the program is as follows: if (isvalid (APSourip) | iesvalid (apDestip)) FormMain-> MemorPy-> Lines-> Add ("legal user"); else {formmain-> memorpy-> Lines -> Add ("illegal users"); sendicmppacket (FormMain-> HVXD, PDESTER, PSOURETHER, PDESTIP, PSOURIP, BUFFER, 128); // Send ICMP packets, interfering illegal users} exit processing in order to maintain system security stability, module Exiting is a must-be processed one by one to the open file.

Sixth, conclude

The preliminary design and implementation of the campus network network billing system, as described above, due to the interception of data by the underlying development, quickly obtain the necessary information, so that the operation of the billing system is more rapid, accurate, effective, and adapt to the network management requirements of the campus network. . It is undeniable that the development of the module of the underlying data message is not perfect. So far, the control section can only manually enter legitimate users, such as IP addresses and MAC addresses have been manually entered, and theoretical should be as long as username and password Correctly accessible to IP and MAC addresses, from this point of information on large-scale information service networks such as 163 and 169, which requires constant expansion, improvement, and improvement of this module.

On the occasion of this paper, I have been a deep gratitude to the teacher and the Mr. Shiyin Bao Mr. who have been careful and teachings. In the writing of graduation design and the paper, the brigade gave enthusiasm and careful teaching. Make my topics and the paper to be completed. The tutors are rigorous and pragmatic, and the spirit of profound knowledge and tireless spirit make it difficult for me.

[references]

[1] Douglas E.COMER, David L.Stevens "Internetworking with TCP / IP" VOL II: Design, Implement, and INTERNALS (SECOND Edition) 1994 By Prentice-Hall, Inc URL: http://www.phei.com . .cn [2] Dipl.-Ing Christopher Chlap, University of Canberra, Australia, Faculty of Information Sciences and Engineering "Direct Network Access in Windows 95" 6. August, 1997 URL: http: //willow.canberra.edu. AU [3] Yu Jianbin "Hacker's Attack Means and User Countermeasures" People's Mail Press [4] Jiang Dongxing, Lin Emang, Chen Cheude, Indian, Liu Qixin "Windows Sockets Network Program Design Daquan" Tsinghua University Press, 1999 [5] Qing Han Computer Studio "C Builder Network Development Example" Machine Industry Press, 1999 [6] 贤 道, An Changqing "Network Management Agreement and Application Development" Tsinghua University Press, 1999