Advanced Features

Router and Heuristics

Routing lookup order:

  1. Flow cache (runtime detection)

  2. Tunnel/VLAN context override

  3. Domain context override

  4. Global defaults (protocol/port fields)

  5. Heuristics (payload inspection)

  6. Catch-all

Heuristics are registered via SPI and ordered by priority.

Analyzer Subsystem

Analyzers attach to specific protocols and emit tokens. Disabled via bitmask pruning when no subscribers.

Token Subsystem

Tokens are 16-byte headers with optional extensions, attached directly to packets.

Key token packs:

  • CORE: flow start/end, reassembly events

  • IDS: alerts

  • INDEX: sparse/dense indexing beacons

  • USER: custom tokens

PreviousProtocol PacksNextBackend Abstraction

Last updated