vpp-ndpi
Passive application visibility plugin — classifies 300+ protocols using nDPI, inside the VPP data plane at line rate.
vpp-ndpi classifies flows by application protocol inside VPP’s packet processing pipeline. It attaches to ip4-unicast and ip6-unicast feature arcs, observes every packet on enabled interfaces, and writes classification results to buffer metadata, CLI, binary API, and stats segment.
Strictly observational — packets are never dropped, modified, or redirected.
Status
Production-ready. Apache 2.0. Tested on VPP 25.06 with nDPI 4.2.0.
Configuration
Add to your startup.conf:
plugins {
plugin default { disable }
plugin ndpi_plugin.so { enable }
}
ndpi {
flows-per-worker 65536
}
Enable on an interface:
vppctl set interface ndpi eth0 enable
CLI reference
| Command | Description |
|---|---|
show ndpi version | Plugin and nDPI library version |
show ndpi stats | Global counters: flows, packets, cache hits |
show ndpi applications [top N] | Per-application flow, packet, and byte counts |
show ndpi flows [count N] | Active flow dump with 5-tuple, app, SNI, bytes |
set interface ndpi <if> enable|disable | Enable/disable on interface |
Example output
vpp# show ndpi stats
flows created: 720
flows classified: 720
flows active: 720
packets scanned: 3600
packets cached: 10440
ndpi calls: 3600
vpp# show ndpi applications
Application Flows Packets Bytes
YouTube 60 1440 1105920
Google 60 1440 1105920
NetFlix 60 1440 1105920
Instagram 60 1440 1105920
Spotify 60 1440 1105920
Teams 60 1440 1105920
Buffer opaque contract
After classification, downstream plugins read:
ndpi_flow_tag_t *tag = vlib_buffer_opaque(b)->ndpi_flow_tag;
/* tag->app_protocol, tag->category, tag->risk, tag->status */
Source
src/plugins/ndpi/ — available via PacketFlow commercial engagement or open-source release.