-
Notifications
You must be signed in to change notification settings - Fork 54
Modules
There are currently three modules available: classifiers, wrappers and ml, which are described below.
The classifiers module contains the library’s classifiers, meaning that for each supported protocol, there is a classifier that determines if a flow follows that protocol.
In the case of heuristic classifiers, each one contains a method called HeuristicClassify
, which returns a boolean that signifies if, according to the heuristics used for that protocol, the flow follows that protocol.
In order to get a new ClassifierModule
instance, you should call classifiers.NewClassifierModule
. This returns an initialized module instance, which you may then configure and pass to godpi.SetModules
.
You can configure the module instance by calling module.ConfigureModule
with a classifiers.ClassifierModuleConfig
instance. The configuration instance allows you to select which classifiers will be used, and their order, by passing them in an array to the configuration. By default, all classifiers will be used, with a predetermined order. To pass a classifier instance to the configuration, you can simply create the appropriate instance, e.g. classifiers.HTTPClassifier{}
.
The wrappers module contains the wrappers for the nDPI and libprotoident libraries. These libraries need to be installed beforehand. In order to interface with these libraries, the C pseudo-package is used. For this reason, there are not only go files in wrappers, but C and C++ files as well.
These files provide simple and thin wrappers for each library, most of the logic still resides in the go code. Each wrapper contains methods for initializing and destroying the underlying library instance and a method for classifying a flow.
Also, for each wrapper, there exists a mapping from the internal codes used by the wrapper to the protocol identifier used by go-dpi, in order to be able to return the protocol when a detection is made.
In order to get a new WrapperModule
instance, you should call godpi.NewWrapperModule
, which you may then configure and pass to godpi.SetModules
.
You can configure the module instance by calling module.ConfigureModule
with a wrappers.WrapperModuleConfig
instance. The configuration instance allows you to select which wrappers will be used, and their order, by passing them in an array to the configuration. By default, both libprotoident and nDPI will be used, in that order. To get an instance of the wrappers to pass to the configuration, you may call wrappers.NewLPIWrapper
and wrappers.NewNDPIWrapper
, respectively.
The ml module contains a model trained using liblinear
. This model is trained using L2-regularized logistic regression on the 2-grams that comprise the first payload sent from the client to the server in a flow. This means that, for the first packet sent to the server that has a payload, the occurences of each combination of 2 bytes are counted and fed into the model, which was trained on similar data. The result of this classification is the probabilities of the packet belonging to each of the protocols. The protocol with the highest probability is the one returned, but only if the probability is above the threshold defined by the user.
In order to get a new LinearSVCModule
instance, you should call ml.NewLinearSVCModule
. This returns an initialized module instance, which you may then configure and pass to godpi.SetModules
.
You can configure the module by settings the following fields on the LinearSVCModule
instance.
-
Threshold
defines the threshold mentioned above. If the best prediction has a probability smaller than this threshold, it is not returned. The default value is 0.8. -
TCPModelPath
is the path of the file that contains the trained model for TCP flows. -
UDPModelPath
is the path of the file that contains the trained model for UDP flows.
If you wish to add another module to the library, you should look at Adding a module.