NetMon's Deep Packet Analytics allows users to write rules that interact with network traffic as it is being processed. The rules can be executed in one of two phases of traffic processing.
- Flow (generic): Executes on every flow.
- Packet: Executes on every packet.
Flow rules can read metadata associated with the flow. All metadata should be known and available. No changes can be made to metadata.
Packet rules may not have access to all fields. Some fields are populated or updated as the flow is continually processed. In some cases, the application of the flow is not yet known or fully determined. The application function described in the sections that follow returns the latest known application. Packet rules are the only rules that can make changes to metadata.
Note that Deep Packet Analytics Rules, especially packet rules, can have a significant impact on system performance. If issues occur, please disable or delete the rule; you can find the rule by clicking Rules on the top navigation bar, and then clicking the Deep Packet Analytics Rules tab.
If issues occur and the rules configuration page reports that there was a problem updating the rule changes, you may have to restart the Logger and Engine processes. That can easily be done with a normal configuration change: on the top navigation bar, click Configuration, then click the Engine tab, and then click Apply Changes.
Flow State Differences Table
|Fires on end-of-flow events||Fires for every single packet (a LOT)|
|Can trigger an alarm||Cannot trigger an alarm|
|Can set custom fields||Can set custom fields|
|Can access metadata fields||Can access metadata fields|
Required Lua Function Format
To interact with the network traffic using Deep Packet Analytics Rules, you must create a Lua function in the following required format.
More information on Lua the language can be found in the guide Programming in Lua (first edition), available at http://www.lua.org/pil/contents.html.
function functionName (dpiMessage, ruleEngine)
function functionName (dpiMessage, packet)
Two parameters are always required: 1)
dpiMessage and 2)
packet, depending on the scope of the rule. These parameters do not have any properties that can be accessed directly from a rule. The properties of these objects must be accessed by calling functions that are available to the rule.
Available Metadata Fields
The full list of metadata fields available in NetMon can be found here.