Method and device for network traffic identification

The application provides a method and a device for network traffic identification. The method comprises the following steps: identifying the head of an obtained data packet to be identified, determining network protocols respectively used by a transmission layer and all layers below the transmission layer, extracting an IP address and a port from the head of the data packet to be identified, searching the IP address and the port in a preset flow table, if the IP address and the port are searched, determining that a network protocol and an application which correspond to the IP address and the port are the network protocol and the application which are used by an application layer, if the IP address and the port are not searched, matching load data in the data packet to be identified with feature keywords in a preset feature library, and if matching is successfully carried out, determining that a network protocol and an application which correspond to the feature keywords are the network protocol and the application which are used by the application layer. Compared with the prior art, the application has the advantages that not only can the protocol of the application layer be accurately identified through the flow table and the feature library which are previously set, the application type can also be determined according to corresponding relationships record in the flow table and the feature library; the recognizing results are more comprehensive.