A high-performance Deep Packet Inspection (DPI) engine that reads PCAP network captures, extracts TLS Server Name Indication (SNI) and HTTP Host headers, classifies traffic by application, and applies blocking rules. Available in both single-threaded and multi-threaded (producer-consumer) architectures.
- PCAP parsing — Read standard libpcap files (Wireshark/tcpdump format)
- Protocol parsing — Ethernet, IPv4, TCP, UDP headers
- TLS SNI extraction — Extract domain names from HTTPS Client Hello messages
- HTTP Host extraction — Extract domain names from unencrypted HTTP requests
- DNS query extraction — Extract queried domain names from DNS requests
- QUIC detection — Basic QUIC/HTTP3 Initial packet detection
- Application classification — 20+ application signatures (YouTube, Facebook, Google, Netflix, GitHub, etc.)
- Multi-threaded architecture — Reader → Load Balancer → Fast Path pipeline
- Rule-based blocking — Block by IP, application, domain (with wildcards), or port
- Rule persistence — Save/load blocking rules from file
- Thread-safe queues — Bounded producer-consumer queues throughout
- Per-flow tracking — Connection state machine (NEW → ESTABLISHED → CLASSIFIED → CLOSED)
- Statistics reporting — Per-application breakdown, throughput, drop rates
┌─────────────┐
│ PCAP File │
└──────┬──────┘
│
┌──────▼──────┐
│ PcapReader │
└──────┬──────┘
│
┌────────────┴────────────┐
│ hash(5-tuple) % LB │
▼ ▼
┌──────────────┐ ┌──────────────┐
│ LoadBalancer│ │ LoadBalancer│
│ LB0 │ │ LB1 │
└──────┬───────┘ └──────┬───────┘
│ hash(5-tuple) % FPs │
┌─────┴─────┐ ┌─────┴─────┐
▼ ▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐
│ FP0 │ │ FP1 │ │ FP2 │ │ FP3 │
│(DPI+CLS)│ │(DPI+CLS)│ │(DPI+CLS)│ │(DPI+CLS)│
└────┬───┘ └────┬───┘ └────┬───┘ └────┬───┘
└──────────┴──────────┴──────────┘
│
┌──────▼──────┐
│ OutputQueue │
└──────┬──────┘
│
┌──────▼──────┐
│ OutputWriter│
└──────┬──────┘
│
┌──────▼──────┐
│ PCAP File │
└─────────────┘
Consistent hashing ensures all packets of the same 5-tuple flow are routed to the same Fast Path thread, enabling correct per-flow state tracking.
| Component | Minimum |
|---|---|
| Compiler | GCC 9+, Clang 12+, MSVC 2019+ |
| C++ Standard | C++17 |
| Build system | CMake 3.16+ |
| OS | Linux (Fedora/Ubuntu/Arch), macOS, Windows |
| Python | 3.6+ (for test data generation) |
sudo dnf install cmake gcc-c++ python3sudo apt install cmake g++ python3sudo pacman -S cmake gcc pythonbrew install cmake gcc- Install Visual Studio 2022 with "Desktop development with C++" workload
- Or install MSYS2 + MinGW-w64 (see WINDOWS_SETUP.md)
git clone https://github.com/souravvoid/DPI-Engine---Deep-Packet-Inspection-System.git
cd DPI-Engine---Deep-Packet-Inspection-System
mkdir build && cd build
cmake ..
cmake --build . --parallel# Debug build
cmake .. -DCMAKE_BUILD_TYPE=Debug
# Release build
cmake .. -DCMAKE_BUILD_TYPE=Release
# Sanitizer build (AddressSanitizer + UndefinedBehaviorSanitizer)
cmake .. -DCMAKE_BUILD_TYPE=Sanitizer
# With tests
cmake .. -DBUILD_TESTING=ON| Target | Description |
|---|---|
packet_analyzer |
Simple packet display tool |
dpi_simple |
Single-threaded DPI engine |
dpi_test |
Minimal CLI test version |
dpi_engine |
Modular multi-threaded DPI engine |
dpi_mt |
Self-contained multi-threaded DPI engine |
python3 generate_test_pcap.py./dpi_engine test_dpi.pcap output.pcap./dpi_engine test_dpi.pcap output.pcap \
--block-app YouTube \
--block-app TikTok \
--block-ip 192.168.1.50 \
--block-domain facebook./dpi_engine input.pcap output.pcap --lbs 4 --fps 4dpi_engine <input.pcap> <output.pcap> [options]
Options:
--block-ip <ip> Block packets from source IP
--block-app <app> Block application (YouTube, Facebook, etc.)
--block-domain <dom> Block domain (supports wildcards: *.facebook.com)
--rules <file> Load blocking rules from file
--lbs <n> Number of load balancer threads (default: 2)
--fps <n> FP threads per LB (default: 2)
--verbose Enable verbose output
--help, -h Show this help
# Basic analysis
./dpi_engine my_capture.pcap filtered.pcap
# Block specific applications
./dpi_engine capture.pcap filtered.pcap --block-app YouTube --block-app Netflix
# Block by IP and domain
./dpi_engine capture.pcap filtered.pcap --block-ip 10.0.0.5 --block-domain *.tiktok.com
# Load rules from file
./dpi_engine capture.pcap filtered.pcap --rules my_rules.txt[BLOCKED_IPS]
192.168.1.100
10.0.0.50
[BLOCKED_APPS]
YouTube
TikTok
[BLOCKED_DOMAINS]
*.facebook.com
twitter.com
[BLOCKED_PORTS]
22
3389
packet_analyzer/
├── .github/workflows/ # CI/CD pipelines
├── include/ # Public headers
│ ├── connection_tracker.h
│ ├── dpi_engine.h
│ ├── fast_path.h
│ ├── load_balancer.h
│ ├── packet_parser.h
│ ├── pcap_reader.h
│ ├── platform.h
│ ├── rule_manager.h
│ ├── sni_extractor.h
│ ├── thread_safe_queue.h
│ └── types.h
├── src/ # Source files
│ ├── main.cpp # Packet display tool
│ ├── main_working.cpp # Simple DPI engine
│ ├── main_simple.cpp # Minimal test
│ ├── main_dpi.cpp # Modular DPI entry point
│ ├── dpi_mt.cpp # Self-contained multi-threaded DPI
│ ├── dpi_engine.cpp # Modular engine orchestrator
│ ├── pcap_reader.cpp # PCAP file reader
│ ├── packet_parser.cpp # Protocol header parser
│ ├── sni_extractor.cpp # SNI / HTTP / DNS extractors
│ ├── types.cpp # Type helpers
│ ├── connection_tracker.cpp
│ ├── fast_path.cpp
│ ├── load_balancer.cpp
│ └── rule_manager.cpp
├── tests/ # Unit tests
│ ├── CMakeLists.txt
│ ├── test_main.cpp
│ ├── test_pcap_reader.cpp
│ ├── test_packet_parser.cpp
│ ├── test_sni_extractor.cpp
│ └── test_types.cpp
├── CMakeLists.txt # Modern CMake build
├── generate_test_pcap.py # Test data generator
├── WINDOWS_SETUP.md # Windows build guide
├── LICENSE # GPL v3
└── README.md # This file
╔══════════════════════════════════════════════════════════════╗
║ DPI ENGINE v2.0 (Multi-threaded) ║
╠══════════════════════════════════════════════════════════════╣
║ Load Balancers: 2 FPs per LB: 2 Total FPs: 4 ║
╚══════════════════════════════════════════════════════════════╝
[Rules] Blocked app: YouTube
[Rules] Blocked IP: 192.168.1.50
[Reader] Processing packets...
[Reader] Done reading 77 packets
╔══════════════════════════════════════════════════════════════╗
║ PROCESSING REPORT ║
╠══════════════════════════════════════════════════════════════╣
║ Total Packets: 77 ║
║ Forwarded: 69 ║
║ Dropped: 8 ║
║ APPLICATIONS ║
║ HTTPS 39 50.6% ########## ║
║ Unknown 16 20.8% #### ║
║ YouTube 4 5.2% # ║
╚══════════════════════════════════════════════════════════════╝
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow the
.clang-formatand.clang-tidyconfigurations - Use C++17 features where appropriate
- All new code must include unit tests
- Ensure all tests pass:
cmake --build . --target packet_analyzer_tests && ctest
git clone <your-fork>
cd PacketAnalyzer
mkdir build && cd build
cmake .. -DBUILD_TESTING=ON -DCMAKE_BUILD_TYPE=Debug
cmake --build . --parallel
ctest --output-on-failure- PCAP file reading
- Protocol parsing (Ethernet, IP, TCP, UDP)
- TLS SNI extraction
- HTTP Host extraction
- DNS query extraction
- Application classification (20+ apps)
- Multi-threaded pipeline architecture
- Rule-based blocking
- Persistent rules
- QUIC/HTTP3 full support
- Live capture mode (libpcap)
- REST API for real-time control
- Web dashboard
- Connection bandwidth tracking
- Docker image
- Benchmark suite
- Conan/vcpkg package support
| Problem | Solution |
|---|---|
Cannot open output file |
Check write permissions; try a different path |
Invalid PCAP magic number |
File is not a valid PCAP; try file capture.pcap |
undefined reference to pthread |
Add -pthread flag or link Threads::Threads |
packet_analyzer: command not found |
Run from build/ directory or add to PATH |
| Missing test_dpi.pcap | Run python3 generate_test_pcap.py |
Q: What is Deep Packet Inspection?
A: DPI examines network packet contents beyond basic headers to identify applications, detect threats, or enforce policies — even inside encrypted TLS connections by extracting the SNI field.
Q: How does SNI extraction work with HTTPS?
A: The TLS Client Hello handshake message includes the target domain as plaintext (Server Name Indication). This is sent before encryption begins, making application identification possible even for HTTPS traffic.
Q: Does this work with TLS 1.3?
A: Yes. TLS 1.3 still sends the SNI in the (unencrypted) Client Hello.
Q: Can I use this with live traffic?
A: Currently the engine reads PCAP files. Live capture support (via libpcap) is on the roadmap.
Distributed under the GNU General Public License v3.0. See LICENSE for details.
Sourav — @souravvoid
Project link: https://github.com/souravvoid/DPI-Engine---Deep-Packet-Inspection-System