Network anomaly Detection

Network Exception checking 2

Author Cpplive | Posted on 2012-02-17

Article Category: C language, Linux, Windows, applications and programming, networking

First, the purpose of this article

In practical project applications involving network programming, the TCP long connection may be disconnected normally or abnormally at any time because the network is unlikely to be in an ideal state, and if it is not processed, it may cause many potential problems for the program. The purpose of writing this document is to address the network program may encounter a variety of problems, come out with you to discuss the specific problems of the solution, at the same time I will be a number of early research solutions listed, to stimulate the hope that we can brainstorm, to find a more reasonable solution.

Second, the network disconnection time

1. Normal network disconnection

(1) CS Party call Close

(2) CS Party program Normal exit, such as CTRL + C event can be detected by the system, the corresponding socket will also be marked as disconnected by the system.

2. Abnormal network disconnection

(1) CS side network cable is dialed out

(2) routing failure between CS, physical connection disconnection

(3) CS side power off or when the machine

(4) CS side wireless signal is poor or the wireless interface is turned off

(5) CS side Change IP event can not be detected by the system, this time reading data will not be error, will only be blocked; Write data will not return an error until the buffer is full. If a disconnect event cannot be detected in time, there may be a fatal error for some scenarios. such as the service side maintenance of the client online information error.

Third, the network disconnection commonly used detection method

1. Handle Normal network disconnection

(1) Select captures readable events, read returns 0

(2) Epoll capture readable event, read returns 0

(3) Active read return error

(4) Active write return error

2. Handling Abnormal network disconnection

(1) Application layer keepalive detection

In the application layer protocol, it is the most common and safest way to join the heartbeat handshake mechanism to maintain the connectivity between server and client. The client periodically sends a probe packet to the server, and if the service side responds, the server is online, otherwise it is processed offline, and the server can also process the client without sending the probe packet for a long time. The scheme is supported by all systems, has good cross-platform performance, and can be detected by network failure on the end. The disadvantage is that it requires the application layer protocol support, the program needs to maintain the long-term heartbeat handshake package, relatively cumbersome.

(2) Transmission layer keepalive detection

In addition to the application layer KeepAlive detection mechanism, TCP internal integration of the KeepAlive mechanism, the default shutdown, it is convenient to open it. It can be detected by a network fault on the side and itself. But not all systems are supported, and some systems, although supported but affect all sockets, consume additional bandwidth and traffic, and are not recommended for use.

View Plaincopy to Clipboardprint?

2. Enable the heartbeat mechanism, if you want to turn it off, place KeepAlive 0
4. SetSockOpt (fd,sol_socket,so_keepalive, (void*) &keepalive,sizeof (KEEPALIVE));
6. Enable the heartbeat mechanism to start idle time between the first heartbeat detection packet sent
8. SetSockOpt (Fd,sol_tcp,tcp_keepidle, (void *) &start,sizeof (start));
10. Two heartbeat detection packets between the time interval
12. SetSockOpt (FD,SOL_TCP,TCP_KEEPINTVL, (void *) &interval,sizeof (interval));
14. Number of probes, which will be detected as TCP disconnects
16. SetSockOpt (fd,sol_tcp,tcp_keepcnt, (void *) &count,sizeof (count));

(3) Network layer keepalive detection

The ping command is almost the network connectivity Detection command for all platforms, taking the network layer ICMP protocol, consider using the Popen function to call the system's own Ping command to encapsulate the network connectivity detection function. It is actually a KeepAlive mechanism of the network layer.

View Plaincopy to Clipboardprint?

2. int Checkconnect (char *dst, int cnt)
4. {
6. FILE *stream;
8. sprintf (Cmdbuf, "ping%s-c%d-i 0.2 | grep time= |  Wc-l ", DST, CNT);
10. stream = Popen (Cmdbuf, "R");
12. Fread (Recvbuf, sizeof (char), sizeof (RECVBUF)-1, stream);
14. Pclose (stream);
16. if (atoi (RECVBUF) > 0) return 0;
18. return-1;
20. }

DST specifies the destination address to be detected, CNT specifies the number of ping attempts, and the-I parameter specifies the time-out for the ping attempt.

(4) Application layer monitoring kernel message mechanism

NetLink is a special socket that is unique to 2.6.14 and later Linux, through which application-level programs can easily customize specific messages to the kernel, such as the offline network card. You can also set or query configuration, such as IP, routing, network traffic information, and so on.

A. Create a NetLink socket:

1. FD = socket (Af_netlink, Sock_raw, Netlink_route);

b, bound routing multicast Group, monitoring network card information:

View Plaincopy to Clipboardprint?

1. addr.nl_family = Af_netlink;
2. Addr.nl_groups = Rtnlgrp_link; //Specify receive routing multicast group messages
3. Bind (FD, (struct sockaddr*) &addr, sizeof (addr));

c, listening socket, once readable, parsing its content, real-time monitoring network card on the offline event.

Advantages: High real-time, easy to use.

Disadvantage: Poor cross-platform, can only detect their own network failure.

(5) Application Layer network card information polling mechanism

The network card information polling mechanism is to periodically invoke the IOCTL function to perform the following actions:

View Plaincopy to Clipboardprint?

2. struct ifconf ifc;
4. struct Ifreq ifrcopy;
6. Get NIC Information list
8. IOCTL (FD, siocgifconf, (char *) &IFC);
10. Get the status of the NIC on the Downline
12. IOCTL (FD, Siocgifflags, &ifrcopy);
14. Get MAC Address
16. IOCTL (FD, SIOCGIFHWADDR, (char *) (&ifrcopy);
18. Get IP Address
20. IOCTL (FD, SIOCGIFADDR, (char *) &ifrcopy);
22. Get broadcast Address
24. IOCTL (FD, SIOCGIFBRDADDR, &ifrcopy));

Disadvantages:

A, cross-platform poor.

Can be successfully ported to Linux,Android,Windows platform, but due to the IPhone platform to get Mac and IP parameters different, need special treatment.

b, real-time and flexibility is not high.

C, consume resources, affect performance.

D, can only detect their own network failure.

Network anomaly Detection