Inkampani ye-AOL ukukhutshwa kwesixokelelwano sokufaka, ukugcina kunye nokunika isalathisi iipakethi zenethiwekhi , ebonelela ngezixhobo zokuvavanya ngokubonakalayo ukuhamba kwezithuthi kunye nokukhangela ulwazi olunxulumene nomsebenzi wenethiwekhi. Ikhowudi ibhalwe ngolwimi lwe-C (i-interface kwi-Node.js/JavaScript) kunye ilayisenisi phantsi kweApache 2.0. Ixhasa umsebenzi kwiLinux kunye neFreeBSD. Ulungile ilungiselelwe iinguqulelo ezahlukeneyo ze-CentOS kunye no-Ubuntu.
Le projekthi yenziwe ngo-2012 ngenjongo yokudala ukutshintshwa okuvulekileyo kweplatifomu yokuthengisa ipakethe yenethiwekhi enokuthi ifikelele kwi-AOL traffic volumes. Ukuphunyezwa kwenkqubo entsha kwi-AOL kwenza kube lula ukuphumeza ulawulo olupheleleyo kwiziseko ezingundoqo ngenxa yokuthunyelwa kwiiseva zayo kunye nokunciphisa kakhulu iindleko - usebenzisa i-Moloch ukubamba ngokupheleleyo i-traffic kuzo zonke iinethiwekhi ze-AOL zibiza imali efanayo xa usebenzisa. Ngaphambili, yayichithwe ekubambeni i-traffic kwinethiwekhi enye kuphela. Inkqubo inokulinganisa ukusetyenzwa kwetrafikhi ngesantya samashumi eegigabhithi ngomzuzwana. Umthamo wedatha egciniweyo ulinganiselwe kuphela ngobungakanani bediski ekhoyo.
Imetadata yeseshoni ifakwe kwi-indexed cluster esekelwe kwi-injini .
I-Moloch iquka izixhobo zokubamba kunye ne-indexing traffic kwifomathi ye-PCAP yendabuko, kunye nokufikelela ngokukhawuleza kwidatha enesalathisi. Ukuhlalutya ulwazi oluqokelelweyo, i-interface yewebhu inikezelwa evumela ukuba uhambe, ukhangele kwaye ukhuphe iisampuli. Kubonelelwe kwakhona , ekuvumela ukuba udlulise idatha malunga neepakethi ezithathiweyo kwifomathi ye-PCAP kunye neeseshoni ezicazululiweyo kwifomathi ye-JSON kwizicelo zomntu wesithathu. Ukusetyenziswa kwefomathi ye-PCAP kwenza lula kakhulu ukudibanisa kunye nabahlalutyi bezithuthi abakhoyo njenge-Wireshark.
IMoloch inamacandelo amathathu asisiseko:
- Inkqubo yokubamba i-traffic system yi-multi-threaded C yesicelo sokubeka iliso kwi-traffic, ukubhala ukulahla kwifomathi ye-PCAP kwi-disk, ukucazulula iipakethi ezifakiwe kunye nokuthumela i-metadata malunga neeseshoni (SPI, ukuhlolwa kwepakethi ye-Stateful) kunye neeprotocol kwi-cluster ye-Elasticsearch. Kuyenzeka ukugcina iifayile zePCAP kwifom efihliweyo.
- Ujongano lwewebhu olusekwe kwiqonga leNode.js, elisebenza kwiseva yokubanjwa kwetrafikhi nganye kunye neenkqubo zezicelo ezinxulumene nokufikelela kwidatha enesalathisi kunye nokudlulisa iifayile zePCAP nge. .
- Ugcino lwemetadata olusekwe kwi-Elasticsearch.
Ujongano lwewebhu lubonelela ngeendlela ezininzi zokujonga - ukusuka kwiinkcukacha-manani ngokubanzi, iimephu zoqhagamshelo kunye neegrafu ezibonakalayo ezinedatha malunga notshintsho kumsebenzi womnatha ukuya kwizixhobo zokufunda iiseshoni zomntu ngamnye, ukuhlalutya umsebenzi kumxholo wemigaqo esetyenziswayo kunye nokwahlulahlula idatha kwi-PCAP yokulahla.
Π :
- Utshintsho lwenziwe ekusebenziseni ifomati engachwetheziyo ukulungiselela isalathiso kwi-Elasticsearch.
- Imizekelo eyongeziweyo yezihluzi zokubanjwa kwetrafikhi eLua.
- Inkxaso ye-46-draft version ye-QUIC protocol iphunyeziwe.
- Ikhowudi yokwahlulahlula iiprothokholi iye yaphinda yasetyenziswa, nto leyo eyenza kube lula ukubhala abahlalutyi be-Ethernet kunye neeprothokholi zenqanaba le-IP.
- Abahlalutyi abatsha baye bandululwa kwiiprothokholi ze-arp, i-bgp, igmp, isis, lldp, ospf kunye ne-pim, kunye noluhlu lweeprotocol ezingaziwayo ze-unkEthernet kunye ne-unkIpProtocol.
- Kongezwe ukhetho lokuvala ngokukhethiweyo abahluli (disableParsers).
- Ukukwazi ukubonisa nayiphi na indawo edibeneyo kwiitshathi, ezibekwe kwiphepha lezicwangciso, zongezwe kujongano lwewebhu.
- Iigrafu kunye nezihloko ngoku zinokumiswa kwaye zingashukumi xa kuskrolwa iphepha.
- Uninzi lweebar zokukhangela zifihliwe okanye zidilike ngokungagqibekanga.
umthombo: opennet.ru