Provide an explicit state for the flow classification process #2942
Conversation
IvanNardi
force-pushed
the
dpi-state3
branch
3 times, most recently
from
e98e340 to
9dcaa71
Compare
IvanNardi
changed the title
IvanNardi
force-pushed
the
dpi-state3
branch
2 times, most recently
from
e9a6196 to
8d648f0
Compare
IvanNardi
force-pushed
the
dpi-state3
branch
2 times, most recently
from
4471562 to
deda9f7
Compare
IvanNardi
force-pushed
the
dpi-state3
branch
6 times, most recently
from
2fab2ad to
b7c13e6
Compare
Application should keep calling nDPI until flow state became
`NDPI_STATE_CLASSIFIED`.
The main loop in the application is simplified to something like:
```
res = ndpi_detection_process_packet(...);
if(res->state == NDPI_STATE_CLASSIFIED) {
/* Done: you can get finale classification and all metadata.
nDPI doesn't need more packets for this flow */
} else {
/* nDPI needs more packets for this flow. The provided
classification is not final and more metadata might be
extracted.
If `res->state` is `NDPI_STATE_PARTIAL`, partial/initial
classification is available in `res->proto`
as usual but it can be updated later.
*/
}
/*
Example A (QUIC flow):
pkt 1: proto QUIC state NDPI_STATE_PARTIAL
pkt 2: proto QUIC/Youtube state NDPI_STATE_CLASSIFIED
Example B (GoogleMeet call):
pkt 1: proto STUN state NDPI_STATE_PARTIAL
pkt N: proto DTLS state NDPI_STATE_PARTIAL
pkt N+M: proto DTLS/GoogleCall state NDPI_STATE_CLASSIFIED
Example C (standard TLS flow):
pkt 1: proto Unknown state NDPI_STATE_INSPECTING
pkt 2: proto Unknown state NDPI_STATE_INSPECTING
pkt 3: proto Unknown state NDPI_STATE_INSPECTING
pkt 4: proto TLS/Facebook state NDPI_STATE_PARTIAL
pkt N: proto TLS/Facebook state NDPI_STATE_CLASSIFIED
*/
}
```
You can take a look at `ndpiReader` for a slightly more complex example.
API changes:
* remove the third parameter from `ndpi_detection_giveup()`. If you need
to know if the classification flow has been guessed, you can access
`flow->protocol_was_guessed`
* remove `ndpi_extra_dissection_possible()`
* change some prototypes from accepting `ndpi_protocol foo` to
`ndpi_master_app_protocol bar`. The update is trivial: from `foo` to
`foo.proto`
|
|
@IvanNardi useful feature, I'm currently developing a Flow State Machine (FSM) with an accumulator mechanism to optimize how packets are sent to nDPI based on protocol characteristics. For example, only a single packet is sent for DNS flows, while TLS flows require at least 6–8 packets before classification. The goal is to prevent the application from continuously invoking nDPI until the flow state reaches NDPI_STATE_CLASSIFIED, which should significantly reduce CPU cycles and improve performance on hot paths. If this approach sounds reasonable, I’ll be happy to share the implementation details and results once it’s completed. Please share your thoughts or suggestions. |
Let me be clear about nDPI capabilities: libnDPI stops processing flow packets when it gets all the information (classification and metadata) *** required by the application***. That means:
In other words, nDPI already processes the minimum number of packets depending on the configuration; with the default configuration we usually want to get everything but you can tune that depending on your usercase. It is a tradeoff between performance and information extracted. All of that was true even before this PR has been merged. Are you doing something different, @mmanoj ? |
2 participants
Application should keep calling nDPI until flow state became
NDPI_STATE_CLASSIFIED.The main loop in the application is simplified to something like:
You can take a look at
ndpiReaderfor a slightly more complex example.API changes:
ndpi_detection_giveup(). If you needto know if the classification flow has been guessed, you can access
flow->protocol_was_guessedndpi_extra_dissection_possible()ndpi_protocol footondpi_master_app_protocol bar. The update is trivial: fromfootofoo.proto