HiPPIE Features

HiPPIE is an extremely robust, high-performance (hence the name) network packet and flow analysis tool for the purpose of identifying network protocols.  HiPPIE is an extension to the Linux kernel that allows for packet input and processing from multiple sources, supports multiple protocols, and whose results can be used in a multitude of ways.

Uses

A list of potential usages for HiPPIE is available either on the About HiPPIE page, or on the HiPPIE Usages page.

Sources

Currently, there are two available sources for sending packets into HiPPIE.  One of these is already considered a legacy implementation and will eventually be deprecated, but the capability to add more sources will be addressed at a later date.  However, here are the currently available sources for packet input. 

• Network Devices (Standard Usage) - HiPPIE allows for any single network interface to be turned on or off from having its traffic processed by HiPPIE in ingress.  This allows for both passive traffic analysis from a span or tap interface, or for processing traffic as it passed through a Linux system configured as a bridge or a router (NOTE: NAT causes some inconsistencies).
• Netfilter (Effectively Deprecated) - This configuration option was the original option for receiving traffic into HiPPIE from the days when the whole purpose was to make traffic decisions in netfilter based on HiPPIE analysis.  This is no longer the option, and actually doesn't work nearly as well as reading the packets straight off the interfaces.

Protocol Analysis Features

• Session Tracking of Major Internet Protocols - (IPv4,TCP,UDP,ICMP,GRE,ESP) - Ability to track sessions across multiple protocols and subprotocols.
• Session Prediction Support - Ability to predict oncoming sessions for example for usage of catch FTP data sessions, RTSP streaming sessions, and so on.
• Tunneled Protocol Tracking - Ability to look into a tunneling protocol and determine what protocol the session within is operating over.  Good examples would include spamming (SMTP) through an HTTP proxy.  HiPPIE would fully detect this session as [IP][TCP][HTTP Proxy][SMTP].
• Functional Protocol Signatures - Instead of using simple options like regex or simple byte-searching, HiPPIE offers fully functional signatures for protocols, including the capability for validating protocol operations such as checksums and other internal protocol consistency checks and sizing checks.
• Nth Packet Theory Efficiency - Based on protocol inspection efficiency theories, capability to still fully identify traffic sessions while offering inspection of only a minor percentage of traffic.  In some production environments, this inspection rate can fall as low as even below 5% of all packets, and even sub-1% inspection of TCP traffic.  This allows for a much for efficient inspection as well as lessens the load of inspection on a HiPPIE system.
• Session Persistence - While inspection of a session will typically stop once it has been identified, there are cases where inspection of those packets will want to continue.  However, this inspection only needs to happen within the protocols that already have been identified in order to facilitate other session prediction (such as FTP file transfers).  With session persistence, a protocol can be flagged to continue to feed the packets of an identified session into a persistence function to complete this process.
• Netfilter/IPTables Integration - Ability to specify IPTables rules in order to filter traffic types in the inline mode, both by the final traffic type (typically application protocol), by the encapsulation (TCP, UDP, or even proxy encapsulations like SOCKS), or by both in the same rule.

Protocol Support

Protocol support is listed here.