-
Notifications
You must be signed in to change notification settings - Fork 54
Architecture
go-dpi comprises of the main godpi module, as well as the wrappers and classifiers submodules, which live in their own directories. There also exists an example app in the godpi_example directory, which is described below.
The godpi module contains the Protocol type, which is simply a string and is used to specify the protocol that was detected for a flow, and is the type that is returned by all the classifiers available. There are Protocol constants for each supported protocol, and the Unknown constant which signifies that a flow has not been classified.
The other important type is Flow, which contains a list of packets. There is also a field that contains the detected protocol of that flow, which is set once a detection is made, and a field that contains the source of that detection, meaning the module that made it.
The classifiers submodule contains the library’s classifiers, meaning that for each supported protocol, there is a classifier that determines if a flow follows that protocol. The classifiers.go file contains a list of all classifiers that are used.
Each one is a class with a method called GetProtocol which returns the protocol that that classifier determines. Also, in the case of heuristic classifiers, each one contains a method called HeuristicClassify, which returns a boolean that signifies if, according to the heuristics used for that protocol, the flow follows that protocol.
When the classifiers.ClassifyFlow method is called, each classifier in the list is called. The first one that manages the classify the flow is the one whose protocol is returned.
The wrappers submodule contains the wrappers for the nDPI and libprotoident libraries. These libraries need to be installed beforehand. In order to interface with these libraries, the C pseudo-package is used. For this reason, there are not only go files in wrappers, but C and C++ files as well.
These files provide simple and thin wrappers for each library, most of the logic still resides in the go code. Each wrapper contains methods for initializing and destroying the underlying library instance and a method for classifying a flow. There is also the wrappers.go file, which contains the methods for initializing and destroying all the wrappers, and for classifying a flow using all wrappers. The first two should be used in the initialization and the termination of the application.
The wrappers to be used are also contained in an array in that file. The method for classifying calls all wrappers in the order they are given in the array, and returns the first result given by one of them. As opposed to the classifiers, the wrappers do not concern only one protocol, but all of them.
Also, for each wrapper, there exists a mapping from the internal codes used by the wrapper to the protocol identifier used by go-dpi, in order to be able to return the protocol when a detection is made.