How It Works

Problem: we need to get Zoom and the all-important Fortnite network traffic through with low latency and then shuffle less time-sensitive traffic like BitTorrent and Netflix to the "I don't care about latency" part of the network.

In the modern network, these application/protocol features require tapping into Layer 7 to get the necessary information. At Layer 2/3 (MAC addresses, IPs, UDP/TCP port numbers), Fortnite and Zoom can look like plain old HTTPS traffic on a common cloud platform like Amazon AWS. Differentiating this traffic using IPs and ports is complex and often impossible. Tricky protocols like BitTorrent, Wireguard, and others are impossible to manage at Layer 3.

The Linux kernel, traffic control tools (tc), iptables, nftables, and other engines do not speak native Layer 7, and nor should they. But that leaves us with a crucial problem:

The agent ingests network traffic from what we call an Input. The input is either:

• Network interfaces, or
• Packet capture files

Most Netify Agent deployments are configured to capture live traffic from network interfaces, but capture files can be handy for testing, development, and offline processing.

Netify DPI ingests the network traffic from the inputs, examines the first 1 to 32 packets of a connection, and performs deep packet analysis. Subsequent packets are tracked for bandwidth statistics and various key performance metrics.

With the inputs configured, the agent uses processor plugins to transform the analysis into various metadata and datasets. The metadata can be used for bandwidth statistics, cybersecurity analysis, and more. The datasets, on the other hand, can be used by standard Layer 3 tools to implement:

• QoS and QoE
• Firewalls
• Routing

There are three standard processor plugins available in Netify DPI - these are described below.

Flow Actions Processor

The Flow Actions Plugin provides a high-speed interface into firewall, QoS, and routing systems in Linux. In particular, the plugin produces three types of datasets:

• IP sets
• nftables
• connection tracking labels

Core Processor

The Core Plugin provides network metadata information in JSON format. Metadata includes:

• Application
• Protocol
• Extracted hostnames
• TLS ciphers
• Bandwidth statistics
• Performance indicators
• and many more

Third-party tools typically ingest this flow metadata to provide enhanced network intelligence solutions.

Aggregator Processor

Flow data from Netify DPI generates a very large amount of data. However, the Aggregator Plugin provides a way to summarize this data more compactly. For example, the plugin can be configured to track total bandwidth usage by a particular application - an efficient way to offer zero-rating.

The final part of the Netify DPI agent workflow is outputs. The metadata from one or more of the Netify processors can be connected to any of the following outputs:

• Socket
• Message Queue
• Log

And yes, you can mix and match these plugins. For example, the flow metadata from the core processor can be sent to the socket for analysis while simultaneously sending aggregator processor bandwidth data to a message queue server.