Skip to content

Usage

Jump to bottom Edit New page
Nikos Filippakis edited this page Jul 30, 2017 · 3 revisions

go-dpi works by creating flows of packets and then passing them on to its different modules, until one of them manages to classify that flow. The main type used in this process is Flow. A Flow contains the list of packets belonging to it. The packets themselves are represented by the gopacket.Packet type, provided by the gopacket library. Also, the protocols are represented by the Protocol type, which is a string with the name of the protocol.

In order to use the library, you must first call godpi.Initialize. This initializes all the modules and is necessary for the correct usage of the library. Before that, you can optionally call godpi.SetModules with a list of module instances, in order to set which modules will be used for classification. If you don't do that, all modules will be used. For more information on modules, see Modules.

Once the library is initialized, you need a gopacket.Packet instance to make use of it. Once you have captured a packet, you can use godpi.GetPacketFlow in order to get the corresponding Flow. If there have been other packets in the same traffic flow, the Flow instance will be the same for all of them. Otherwise, a new one will be returned.

Having a Flow instance, you can now ask the library to try and classify it. There are two ways to do that.

  • The first one is godpi.ClassifyFlow. By calling this with the Flow, the library will run all modules in the order they were given in SetModules to try and get a result back. The first positive classification that is made will be returned.
  • The other way is to call godpi.ClassifyFlowAllModules. This will run all modules, once again, but will return all results returned, paired with the name of the module that made the classification. That may include Unknown protocol results, in the case a module couldn't identify the flow.

Finally, when you are done using the library, you should call godpi.Destroy. This frees all resources used by the library. Afterwards, you may call godpi.Initialize again, in order to start over.

If you have the need to configure a module while go-dpi is initalized, or the order of the modules, you should first call godpi.Destroy, then configure your modules and use godpi.SetModules, and finally call godpi.Initialize again. This will prevent any unexpected behaviors.

More in-depth documentation about the API and the structure of the code is available at https://godoc.org/github.com/mushorg/go-dpi. Currently supported protocols are:

  • DNS
  • FTP
  • HTTP
  • ICMP
  • Netbios
  • RDP
  • RPC
  • SMB
  • SMTP
  • SSH
  • SSL
Add a custom footer
Add a custom sidebar
Clone this wiki locally