Routing lookup order:
Flow cache (runtime detection)
Tunnel/VLAN context override
Domain context override
Global defaults (protocol/port fields)
Heuristics (payload inspection)
Catch-all
Heuristics are registered via SPI and ordered by priority.
Analyzers attach to specific protocols and emit tokens. Disabled via bitmask pruning when no subscribers.
Tokens are 16-byte headers with optional extensions, attached directly to packets.
Key token packs:
CORE: flow start/end, reassembly events
IDS: alerts
INDEX: sparse/dense indexing beacons
USER: custom tokens
Last updated 1 month ago