Create a specific configuration for classification only #2689

IvanNardi · 2025-01-21T17:34:11Z

In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics.

Create a new configuration file (for ndpiReader, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: ndpiReader --conf=example/only_classification.conf ...

Note that this way, the nDPI overhead is lower because it might need less packets per flow:

TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates
DNS: only the request is processed (instead of both request and response)

We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols.

Add the configuration options to enable/disable the extraction of some TLS metadata.

In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics. Create a new configuration file (for `ndpiReader`, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: `ndpiReader --conf=example/only_classification.conf ...` Note that this way, the nDPI overhead is lower because it might need less packets per flow: * TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates * DNS: only the request is processed (instead of both request and response) We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols. Add the configuration options to enable/disable the extraction of some TLS metadata.