Method and device for identifying network flow

The invention provides a method and device for identifying network flow. The method includes the steps of: identifying the head of an acquired data packet to be identified, determining network protocols respectively used by a transport layer and all layers below the transport layer, extracting an IP address and a port from the head of the data packet to be identified, searching the IP address and the port in a preset flow table, if the IP address and the port are found, determining that a network protocol and an application which correspond to the IP address and the port are the network protocol and the application which are used by an application layer, if the IP address and the port are not found, matching load data in the data packet to be identified with feature keywords in a preset feature library, and if matching is successfully carried out, determining that a network protocol and an application which correspond to the feature keywords are the network protocol and the application which are used by the application layer. Compared with the prior art, the method for identifying network flow has the advantages that not only can the protocol of the application layer be accurately identified through the flow table and the feature library which are set in advance, the application type can also be determined according to corresponding relationships recorded in the flow table and the feature library; and the identification results are more comprehensive.