-
Notifications
You must be signed in to change notification settings - Fork 54
Usage
go-dpi works by creating flows of packets and then passing them on to its different modules, until one of them manages to classify that flow. The main type used in this process is Flow
. A Flow
contains the list of packets belonging to it. The packets themselves are represented by the gopacket.Packet
type, provided by the gopacket
library. Also, the protocols are represented by the Protocol
type, which is a string with the name of the protocol.
In order to use the library, you must first call godpi.Initialize
. This initializes all the modules and is necessary for the correct usage of the library. Before that, you can optionally call godpi.SetModules
with a list of module instances, in order to set which modules will be used for classification. If you don't do that, all modules will be used. For more information on modules, see Modules.
Once the library is initialized, you need a gopacket.Packet
instance to make use of it. Once you have captured a packet, you can use godpi.GetPacketFlow
in order to get the corresponding Flow
. If there have been other packets in the same traffic flow, the Flow
instance will be the same for all of them. Otherwise, a new one will be returned.
Having a Flow
instance, you can now ask the library to try and classify it. There are two ways to do that.
- The first one is
godpi.ClassifyFlow
. By calling this with theFlow
, the library will run all modules in the order they were given inSetModules
to try and get a result back. The first positive classification that is made will be returned. - The other way is to call
godpi.ClassifyFlowAllModules
. This will run all modules, once again, but will return all results returned, paired with the name of the module that made the classification. That may includeUnknown
protocol results, in the case a module couldn't identify the flow.
Finally, when you are done using the library, you should call godpi.Destroy
. This frees all resources used by the library. Afterwards, you may call godpi.Initialize
again, in order to start over.
If you have the need to configure a module while go-dpi is initalized, or the order of the modules, you should first call godpi.Destroy
, then configure your modules and use godpi.SetModules
, and finally call godpi.Initialize
again. This will prevent any unexpected behaviors.
More in-depth documentation about the API and the structure of the code is available at https://godoc.org/github.com/mushorg/go-dpi. Currently supported protocols are:
- DNS
- FTP
- HTTP
- ICMP
- Netbios
- RDP
- RPC
- SMB
- SMTP
- SSH
- SSL