See every application flowing through VPP.

FlowLens is an open-source DPI plugin suite for FD.io VPP. It classifies 300+ applications in real time — inside the data plane, at line rate, with zero hardware changes.

Try the 5-minute lab → View on GitHub
300+protocols
< 8 nscached overhead
3–8packets to classify
Apache 2.0license
FlowLens Grafana dashboard showing live application traffic

What FlowLens does

🔍

Classifies traffic

Identifies YouTube, Zoom, Netflix, BitTorrent, TLS clients, DNS, and 300+ more — using nDPI, the same engine behind ntopng and Suricata. No decryption. No separate box.

🛡️

Enforces policy

Drop, rate-limit, or DSCP-mark traffic by application class. Policy rules installed at runtime via CLI or binary API. No restarts.

📊

Exports telemetry

IPFIX flow records enriched with application name and TLS SNI. Prometheus metrics from VPP's stats segment. Grafana dashboard included.

↔️

Steers traffic

Application-aware WAN path selection for SD-WAN CPE. BGP FlowSpec enforcement for carrier-grade DDoS reaction at the upstream PE.

Inside the data plane, not next to it

Commercial DPI appliances sit next to your router on a mirror port. They cost $80K–$300K per chassis, require dedicated hardware, and add an extra hop to your management plane.

FlowLens runs inside VPP itself, as a feature arc node on ip4-unicast. Classification happens in nanoseconds, on the same CPU core as your forwarding path. No mirror port. No extra server. No per-Gbps license.

Read the architecture →
Without FlowLens
Router VPP ──mirror──► DPI Appliance
$200K
→ slow · expensive · extra hardware
With FlowLens
Router VPP
+ ndpi-observe
→ in-process · free · < 8 ns overhead

Live application visibility in Grafana

The included Grafana dashboard shows real-time application traffic — throughput, flow rates, and engine metrics — scraped from VPP's stats segment via Prometheus.

FlowLens Grafana dashboard — kiosk view
Top Applications by Throughput — pie chart

Top apps by throughput

Top Applications — horizontal bar chart with app names

Current throughput ranking

Active Flows stat panel showing 720

Active flows count

Real CLI output

From a lab replay of TLS ClientHello flows. Classification happens in the first 3 packets — nDPI reads the SNI before the handshake completes.

vpp# show ndpi version vpp-ndpi plugin 0.1.0 libndpi 4.2.0 vpp# show ndpi stats flows created: 720 flows classified: 720 flows active: 720 packets scanned: 3600 packets cached: 10440 ndpi calls: 3600 vpp# show ndpi applications Application Flows Packets Bytes YouTube 60 1440 1105920 NetFlix 60 1440 1105920 Zoom 60 1440 1105920 Teams 60 1440 1105920 Spotify 60 1440 1105920 Github 60 1440 1105920 ...

Composable plugin stack

Each plugin registers on the same VPP feature arc. Enable only what you need — the data plane cost is proportional to the plugins you activate.

vpp-ndpi
classify: app, category, SNI, JA3, risk score · open-source
vpp-policy
enforce: drop / permit by app or risk flag
vpp-policer-ndpi
rate-limit: per-app or per-category token bucket
vpp-ipfix
export: IPFIX records enriched with app fields + SNI
vpp-exporter
scrape: Prometheus metrics + Grafana dashboard · open-source
vpp-sdwan-steer
steer: select WAN path per application class
vpp-gobgp-flowspec
react: push BGP FlowSpec on anomaly or policy match

vpp-ndpi and vpp-exporter are open-source (Apache 2.0). Other plugins are available as PacketFlow commercial products.

Performance

MetricValueCondition
Overhead per packet (classifying)~150 ns10G link, 64B packets
Overhead per packet (cached flow)~8 nsbihash lookup only
Flow table lookupO(1)per-worker, no locks
Max flows per worker1Mconfigurable
Classification convergence3–8 pkts95th pct, TCP/TLS
Protocols classified300+nDPI 4.2.0

Built on proven open-source foundations

FD.io VPP

Packet processing framework — 100+ Gbps forwarding, used by Cisco, Ericsson, Nokia, and scores of network vendors. Apache 2.0.

ntop nDPI

Deep packet inspection — 300+ protocols, used by ntopng, Suricata, Zeek, pfSense, and Arkime. LGPL-3.0.

Prometheus + Grafana

Industry-standard metrics and dashboards. Zero-code integration via VPP's stats segment shared memory. Apache 2.0.

Add application visibility to your VPP deployment in 5 minutes.

Read the quickstart → Commercial support