A Deep Packet Inspection engine written in C++ that analyzes network traffic from PCAP files, identifies applications using packet metadata and TLS SNI inspection, and applies filtering rules to block specific applications, domains, or IP addresses.
The system parses multiple network protocol layers, tracks connections using the Five-Tuple, and processes packets using a multi-threaded architecture to improve performance and scalability.
๐ Overview โข ๐ Features โข ๐ Architecture โข ๐ Structure โข ๐ Build โข
This project demonstrates how modern network monitoring and security systems analyze traffic beyond traditional packet filtering.
Captured network traffic is provided as a PCAP file, which is processed by the DPI engine. The engine analyzes each packet, applies filtering rules, and writes allowed traffic into a new filtered PCAP output file.
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ
โ Input PCAP โ โโโโโโโถโ DPI Engine โ โโโโโโโถโ Filtered PCAP Out โ
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ
| Step | Description |
|---|---|
| ๐ฆ Packet Parsing | Parse raw bytes across protocol layers |
| ๐ Flow Identification | Group packets into network flows |
| ๐ง Application Detection | Identify apps via metadata & SNI |
| ๐ซ Rule-based Filtering | Apply block/allow rules |
| ๐ Statistics Generation | Output traffic analysis report |
The engine parses multiple network protocol layers:
โโโโโโโโโโโโโโโโ
โ Ethernet โ โ MAC addresses, EtherType
โโโโโโโโโโโโโโโโค
โ IPv4 โ โ Source/Destination IPs, TTL
โโโโโโโโโโโโโโโโค
โ TCP / UDP โ โ Ports, flags, sequence numbers
โโโโโโโโโโโโโโโโค
โ Payload โ โ Application-layer data
โโโโโโโโโโโโโโโโ
This enables extraction of critical network metadata for deeper inspection.
Each connection is tracked using the Five-Tuple:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Five-Tuple Flow ID โ
โ โ
โ ๐ Source IP โ 192.168.x.x โ
โ ๐ Destination IP โ 142.250.x.x โ
โ ๐ Source Port โ 54321 โ
โ ๐ Destination Port โ 443 โ
โ ๐ก Protocol โ TCP โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Packets sharing the same Five-Tuple belong to the same network flow, allowing stateful traffic analysis.
The engine inspects packet payloads to detect applications.
For HTTPS traffic, it extracts the Server Name Indication (SNI) from the TLS handshake โ revealing the domain name before encryption begins.
TLS ClientHello
โโโ Extension: server_name
โโโ SNI: www.youtube.com
โ
โผ
Detected App: YouTube โ
The system supports rule-based traffic filtering, allowing blocking by:
| Rule Type | Example |
|---|---|
| ๐งพ IP Address | --block-ip 203.0.113.5 |
| ๐ฑ Application | --block-app YouTube |
| ๐ Domain Name | --block-domain facebook |
Packets matching blocking rules are dropped and not written to the output file.
The project includes two implementations.
A simple implementation where packets are processed sequentially.
Useful for learning packet inspection and debugging packet processing.
PCAP Reader โโโถ Packet Parser โโโถ Classifier โโโถ Rule Engine โโโถ Output
A high-performance implementation that processes packets in parallel.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Parallel Processing Pool โ
โ โ
PCAP Reader โโโถ โ Load Balancer โโโถ โ๏ธ Worker โโโถ ... โโโโถ Output Writer
โ โโโถ โ๏ธ Worker โโโถ ... โ
โ โโโถ โ๏ธ Worker โโโถ ... โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Thread | Role |
|---|---|
| ๐ฅ Reader | Reads packets from PCAP file |
| โ๏ธ Load Balancer | Distributes packets across workers |
| โ๏ธ Worker (Fast Path) | Inspects and classifies packets |
| ๐พ Output Writer | Writes allowed packets to output |
This architecture allows the system to scale with available CPU cores.
deep-packet-inspector/
โ
โโโ ๐ include/
โ โโโ Header files for packet parsing, flow tracking, and DPI logic
โ โโโ connection_tracker.h
โ โโโ dpi_engine.h
โ โโโ fast_path.h
โ โโโ load_balancer.h
โ โโโ packet_parser.h
โ โโโ pcap_reader.h
โ โโโ platform.h
โ โโโ rule_manager.h
โ โโโ sni_extractor.h
โ โโโ thread_safe_queue.h
โ โโโ types.h
โ
โโโ ๐ src/
โ โโโ Core implementation of the DPI engine
โ โโโ main.cpp / main_dpi.cpp / main_working.cpp
โ โโโ dpi_engine.cpp / dpi_mt.cpp
โ โโโ pcap_reader.cpp
โ โโโ packet_parser.cpp
โ โโโ sni_extractor.cpp
โ โโโ connection_tracker.cpp
โ โโโ rule_manager.cpp
โ โโโ fast_path.cpp
โ โโโ load_balancer.cpp
โ โโโ types.cpp
โ
โโโ ๐ generate_test_pcap.py โ Generate sample network traffic
โโโ ๐ฆ test_dpi.pcap โ Example PCAP file for testing
โโโ โ๏ธ CMakeLists.txt โ Build configuration
โโโ ๐ช WINDOWS_SETUP.md โ Windows build instructions
โโโ ๐ README.md
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ 1๏ธโฃ READ Read packet from PCAP file โ
โ โ โ
โ โผ โ
โ 2๏ธโฃ PARSE Extract MAC, IP, ports, protocol โ
โ โ โ
โ โผ โ
โ 3๏ธโฃ IDENTIFY Generate Five-Tuple flow ID โ
โ โ โ
โ โผ โ
โ 4๏ธโฃ INSPECT Extract SNI from TLS handshake โ
โ โ โ
โ โผ โ
โ 5๏ธโฃ EVALUATE Check packet against blocking rules โ
โ โ โ
โ / \ โ
โ โผ โผ โ
โ โ
โ โ
โ Forward Drop โ
โ to PCAP โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- C++17 compatible compiler (
g++,clang++, or MSVC) - Linux / macOS / Windows (MinGW)
- Python 3 (optional โ for generating test PCAP files)
g++ -std=c++17 -O2 -I include \
src/*.cpp \
-o dpi_engine๐ช Windows users: See WINDOWS_SETUP.md for detailed Visual Studio, MinGW, and WSL instructions.
./dpi_engine input.pcap output.pcap./dpi_engine input.pcap output.pcap \
--block-app YouTube \
--block-ip 192.168.1.50 \
--block-domain facebookโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DPI Engine โ Results โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Total Packets : 77 โ
โ Forwarded : 69 โ
โ
โ Dropped : 8 โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Detected Applications: โ
โ โข HTTPS โ
โ โข YouTube โ
โ โข Facebook โ
โ โข DNS โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- โ Adding more application signatures
- ๐ก Supporting live network packet capture
- โฑ๏ธ Implementing bandwidth throttling
- ๐ Creating a web dashboard for monitoring
- โก Adding support for QUIC / HTTP3 traffic
This project demonstrates important network security and packet analysis concepts:
| Concept | What It Shows |
|---|---|
| ๐ฆ Network packet structure | Multi-layer protocol parsing |
| ๐ Flow tracking | Five-Tuple state machine |
| ๐ Deep packet inspection | Payload-level application detection |
| ๐ TLS handshake analysis | SNI extraction before encryption |
| โก Multi-threaded systems | Thread-safe queues & load balancing |
It serves as a practical learning project for:
Network Security โข Packet Analysis โข Traffic Monitoring Systems