UDPI/Meeting/Oct 09 2019
Thanks Pengjie Li to share his exploration!
Here are some meeting notes we discussed. If there are something missed, please help to correct.
1. For specific TCP/UDP stacks, the performance will be poor if we scan the TCP protocol list one by one.
Need to find some way to optimize it. Some guys from Intel will do some research on this.
2. Parse DNS Response to get IP list, and cache it to a pre-match table, then lookup pre-match table to guess the applications when a new flow is created.
3. Divide rules into many domains, so we can classify flows to different protocol stacks, such as TCP/UDP/IP etc.
4. Store destination IP + Port to pre-match table for successful identification before and improve the first time identification rate.
5. For video handshake messages, need to parse payload to get IP list, and sit store in pre-match table.
6. For fixed offset and fixed length's string, use hash or hyperscan to pre-match, which one is better. Need to benchmark and evaluate.
7. Do we need to change hyperscan stream mode to block mode? Because for hyperscan stream mode, need to consume some hundreds bytes for each flow.
Need to add some CLI commands and code to support both modes.