NetMon's Deep Packet Analytics allows users to write rules that interact with network traffic as it is being processed. The rules can be executed in one of two phases of traffic processing.

  1. Flow (generic): Executes on every flow.
  2. Packet: Executes on every packet.

Flow rules can read metadata associated with the flow. All metadata should be known and available. No changes can be made to metadata.

Packet rules may not have access to all fields. Some fields are populated or updated as the flow is continually processed. In some cases, the application of the flow is not yet known or fully determined. The application function described in the sections that follow returns the latest known application. Packet rules are the only rules that can make changes to metadata.

Note that Deep Packet Analytics Rules, especially packet rules, can have a significant impact on system performance. If issues occur, please disable or delete the rule; you can find the rule by clicking Rules on the top navigation bar, and then clicking the Deep Packet Analytics Rules tab.

If issues occur and the rules configuration page reports that there was a problem updating the rule changes, you may have to restart the Logger and Engine processes. That can easily be done with a normal configuration change: on the top navigation bar, click Configuration, then click the Engine tab, and then click Apply Changes.

Flow State Differences Table

FlowPacket
Fires on end-of-flow eventsFires for every single packet (a LOT)
Can trigger an alarmCannot trigger an alarm
Can set custom fieldsCan set custom fields
Can access metadata fieldsCan access metadata fields

Required Lua Function Format

To interact with the network traffic using Deep Packet Analytics Rules, you must create a Lua function in the following required format.

More information on Lua the language can be found in the guide Programming in Lua (first edition), available at http://www.lua.org/pil/contents.html.

Flow-Level Rule

function functionName (dpiMessage, ruleEngine)
  ---code comment
 
  return true
end

Packet-Level Rule

function functionName (dpiMessage, packet)
  ---code comment
 
  return true
end

Two parameters are always required: 1) dpiMessage and 2) ruleEngine or packet, depending on the scope of the rule. These parameters do not have any properties that can be accessed directly from a rule. The properties of these objects must be accessed by calling functions that are available to the rule.

Available Metadata Fields

The full list of metadata fields available in NetMon can be found here.