FAQ
Frequently asked questions about FlowLens — what it is, how it works, performance, and licensing.
What is FlowLens?
FlowLens is an open-source software plugin suite for FD.io VPP that classifies network application traffic in real time, directly inside the VPP data plane. It is not hardware — it runs on commodity x86 servers. Licensed under Apache 2.0 and maintained by PacketFlow.
What protocols and applications does it classify?
FlowLens uses the nDPI library (the same engine behind ntopng and Suricata) to classify 300+ application protocols — including YouTube, Netflix, TLS, QUIC, DNS, HTTP/2, Teams, Zoom, BitTorrent, WireGuard, and more. The full list is in the nDPI protocol registry.
Does it work with encrypted traffic?
Yes, for most encrypted applications. Classification uses:
- TLS SNI — server name from the TLS ClientHello (no decryption needed)
- JA3/JA3S fingerprints — TLS handshake signature matching
- DNS correlation — domain-to-IP association built from observed DNS responses
- IP/prefix ranges — CDN and cloud provider prefix databases (e.g., recognising Netflix by ASN)
Traffic that is fully opaque (e.g., Tor, custom VPNs) may not be classified beyond the transport layer.
What is the performance overhead?
| State | Overhead |
|---|---|
| Classifying (first 3–8 packets) | ~150 ns per packet |
| Cached (verdict already known) | ~8 ns per packet |
| Flow table lookup | O(1) — per-worker bihash, no locks |
Tested on a 10 GbE link with 64-byte packets. Memory: ~1.1 KB per classifying flow (nDPI state freed after verdict), ~64 bytes per cached flow.
Does FlowLens drop or modify packets?
No — the core vpp-ndpi plugin is strictly observational. It classifies flows and writes results to the VPP buffer opaque area, but never drops or alters packets itself.
Policy enforcement (drop, DSCP mark, rate-limit) is a separate optional plugin (vpp-policy, vpp-policer) that you enable independently.
What VPP versions are supported?
FlowLens is tested against VPP 25.06 with nDPI 4.2.0. VPP 24.x may work but is not actively tested. Contact PacketFlow for the current CI matrix and supported configurations.
Can I use FlowLens without commercial support?
Yes. The core plugins are Apache 2.0 and fully functional without any commercial engagement. Community support and commercial options are both available — see the Support page.
How does FlowLens compare to ntopng or Suricata?
| FlowLens | ntopng / Suricata | |
|---|---|---|
| Placement | Inside VPP data plane (inline) | Tap/mirror port (out-of-band) |
| Overhead | ~8 ns per cached packet | Copy overhead + separate process |
| Actions | Drop, rate-limit, DSCP, FlowSpec | Alert, block (via firewall API) |
| DPI engine | nDPI (same as ntopng) | nDPI / custom |
| Integration | VPP feature arc | Separate daemon |
FlowLens is purpose-built for environments where VPP is already the data plane (ISP, SD-WAN, 5G UPF). It is not a general-purpose IDS/IPS.
What is the difference between vpp-flowspec variants?
There are two FlowSpec plugins:
| Plugin | BGP daemon | Use case |
|---|---|---|
vpp-flowspec | ExaBGP (separate process) | Simple threshold-based anomaly reaction |
vpp-gobgp-flowspec | GoBGP embedded (same process) | Carrier-grade policy-driven enforcement with prefix aggregation |
The GoBGP variant compresses millions of classified flows into tens of BGP FlowSpec NLRIs via a prefix aggregation engine, suitable for production ISP and carrier deployments.
How do I add custom application signatures?
nDPI supports custom protocol definitions via its custom rules API. You can:
- Define a custom protocol ID in the nDPI init call
- Add IP/port or regex-based match rules
- Recompile — FlowLens picks up the new protocol ID automatically
For production custom signatures (carrier-specific applications, proprietary protocols), PacketFlow offers signature development as a commercial service.