See every application flowing through VPP.

PacketLens is an open-source DPI plugin suite for FD.io VPP. It classifies 300+ applications in real time — inside the data plane, at line rate, with zero hardware changes.

Get in touch →
300+protocols
< 8 nscached overhead
100G–800Gline rate
Apache 2.0license
PacketLens Grafana dashboard showing live application traffic

What PacketLens does

🔍

Classifies traffic

Identifies YouTube, Zoom, Netflix, BitTorrent, TLS clients, DNS, and 300+ more — using nDPI, the same engine behind ntopng and Suricata. No decryption. No separate box.

🛡️

Enforces policy

Drop, rate-limit, or DSCP-mark traffic by application class. Policy rules installed at runtime via CLI or binary API. No restarts.

📊

Exports telemetry

IPFIX flow records enriched with application name and TLS SNI. Prometheus metrics from VPP's stats segment. Grafana dashboard included.

↔️

Reacts automatically

BGP FlowSpec in both directions via embedded GoBGP — VPP pushes rate-limit or drop rules to an upstream PE when thresholds are crossed, and receives FlowSpec from an upstream controller to enforce as a scrubbing center.

Inside the data plane, not next to it

Commercial DPI appliances sit next to your router on a mirror port. They cost $80K–$300K per chassis, require dedicated hardware, and add an extra hop to your management plane.

PacketLens runs inside VPP itself, as a feature arc node on ip4-unicast. Classification happens in nanoseconds, on the same CPU core as your forwarding path. No mirror port. No extra server. No per-Gbps license.

VPP is the forwarding engine behind 100G–800G production deployments at ISPs and carriers. PacketLens inherits that scale — DPI is not a bottleneck because it adds only < 8 ns per cached packet on the fast path.

Get in touch →
Without PacketLens
Router VPP ──mirror──► DPI Appliance
$200K
→ slow · expensive · extra hardware
With PacketLens
Router VPP
+ ndpi-observe
→ in-process · free · < 8 ns overhead

Live application visibility in Grafana

The included Grafana dashboard shows real-time application traffic — throughput, flow rates, and engine metrics — scraped from VPP's stats segment via Prometheus.

PacketLens Grafana dashboard — kiosk view
nDPI classification demo — 12 apps appear in show ndpi applications while stats counters tick up live

IPFIX export to any collector

PacketLens exports RFC 7011 IPFIX flow records enriched with nDPI metadata — application name, category, TLS SNI, and JA3 fingerprint. Any standard IPFIX/NetFlow collector can consume the stream.

ntopng live flow browser receiving IPFIX from VPP via PacketLens
ntopng dashboard — Top Flow Talkers, Top Applications from VPP IPFIX

ntopng dashboard

ntopng host table — VPP lab hosts visible via IPFIX

Per-host breakdown

Lab stack: VPP → IPFIX UDP/2055 → nProbe → ZMQ → ntopng.

BGP FlowSpec enforcement — automatic upstream mitigation

When vpp-ndpi detects an application threshold crossing, vpp-flowspec automatically pushes BGP FlowSpec rules to your upstream router via embedded GoBGP. YouTube hitting 500 B/s? FRR rate-limits it before it reaches VPP.

vpp-flowspec — VPP thresholds fire, 5 FlowSpec routes appear in FRR BGP table in real time

Lab stack: VPP + nDPI → Unix socket → flowspec-ctrl (GoBGP) → BGP session → FRR PE.

BGP FlowSpec receive — VPP as scrubbing center

vpp-flowspec-recv closes the loop: an upstream controller (FRR, Juniper, Cisco) announces FlowSpec rules via BGP, and VPP installs them in its data plane instantly — drop or rate-limit matching traffic before it reaches downstream hosts.

vpp-flowspec-recv — FRR announces 5 FlowSpec routes, VPP installs drop and rate-limit rules in real time

Lab stack: FRR PE (AS 65000) → BGP session → flowspec-recv sidecar (AS 65002) → Unix socket → VPP data plane.

Per-app enforcement — drop, permit at wire speed

vpp-policy enforces drop/permit rules inline on the ip4-unicast feature arc. Rules apply only to classified flows — unclassified packets are always permitted so nDPI can finish its verdict.

Policy enforcement demo — BitTorrent/TikTok/Facebook dropped, YouTube permitted; drop/permit counters growing live

Two CLI commands to deploy: set interface policy eth0 enable + set policy app BitTorrent action drop.

Per-app rate limiting — drop or DSCP-mark at wire speed

vpp-policer-ndpi attaches a token-bucket policer to each application class. YouTube saturating a link? Cap it to 5 Mbps and DSCP-mark excess packets for downstream QoS — all inside VPP, no separate device.

Rate limiting demo — DNS/YouTube/Netflix policers configured; conform/drop/DSCP-mark counters growing live

One command: set policer-ndpi app YouTube rate 5M burst 40K dscp-mark 8.

Composable plugin stack

Each plugin registers on the same VPP feature arc. Enable only what you need — the data plane cost is proportional to the plugins you activate.

vpp-ndpi
classify: app, category, SNI, JA3, risk score · open-source
vpp-policy
enforce: drop / permit by app · open-source
vpp-policer-ndpi
rate-limit: per-app token-bucket — drop or DSCP-mark · open-source
vpp-ipfix
export: IPFIX records enriched with app fields + SNI · open-source
vpp-exporter
scrape: Prometheus metrics + Grafana dashboard · open-source
vpp-flowspec
react: push BGP FlowSpec rules to upstream PE on app threshold · open-source
vpp-flowspec-recv
scrub: receive BGP FlowSpec from upstream controller, enforce drop / rate-limit in VPP data plane · open-source

All PacketLens plugins are open-source (Apache 2.0). Commercial support and custom integration available from PacketFlow.

Performance

MetricValueCondition
Line rate100G–800GVPP multi-worker, scales linearly
Overhead per packet (classifying)~150 nsfirst 3–8 packets per flow
Overhead per packet (cached flow)~8 nsbihash lookup only — invisible at any line rate
Flow table lookupO(1)per-worker, no locks
Max flows per worker1Mconfigurable
Classification convergence3–8 pkts95th pct, TCP/TLS
Protocols classified300+nDPI 4.2.0

Built on proven open-source foundations

FD.io VPP

Packet processing framework — 100+ Gbps forwarding, used by Cisco, Ericsson, Nokia, and scores of network vendors. Apache 2.0.

ntop nDPI

Deep packet inspection — 300+ protocols, used by ntopng, Suricata, Zeek, pfSense, and Arkime. LGPL-3.0.

Prometheus + Grafana

Industry-standard metrics and dashboards. Zero-code integration via VPP's stats segment shared memory. Apache 2.0.

Get in touch

Interested in adding PacketLens to your VPP deployment? We'll get back to you within 24 hours.