DOCA Documentation v2.10.0
NVIDIA Docs Hub  NVIDIA Networking  BlueField DPUs / SuperNICs & DOCA  DOCA Documentation v2.10.0  DOCA Programable Congestion Control Simulator

On This Page

DOCA Programable Congestion Control Simulator

Contents:

Instructions: Please replace all labels/tags such as with the relevant content from your library/driver name, samples names, etc.

All the text that is marked in RED should be replaced with actual content for the specific guide.

This document describes DPI compiler architecture, supported signatures format, compiler usage , etc.

Introduction

DPI compiler is used to compile a signature file which is loaded into the BlueField RegEx HW accelerator using a dedicated API (doca_dpi_load_signatures(cdo_file)). The output for the DPI compiler is a JSON-based CDO file.

This diagram contains the following elements:

  • Input rules file – file containing a list of rules

    Supported formats:

    1. Suricata (limited support—see section "Description" for more information)

    2. Third party signature files (for more information, contact NVIDIA Networking Support at: networking-support@nvidia.com).

  • RXP compiler – regular expression compiler which is part of the DPI compiler

  • Output CDO file – compiled signature output from compiler. File containing list of rules to be loaded to the RegEx engine.

Prerequisites

Can be removed if there are none.

Description

The following is a Suricata syntax example:

Copy
Copied!
            

            
alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt";  content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|";  sid:2009701; )

Suricata rules are made of three parts – action, header, and options. Take the following rule for example:

Copy
Copied!
            

            
drop tcp 1.1.1.1/11 8080 -> 2.2.2.2/22 9090 (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow: to_server; content:"NICK "; nocase; pcre:"/NICK .*USA.*[0-9]{3,}/iI"; sid:2008124;)

The following table breaks down the rule syntax:

Part

Rule Element

Action

drop

Header

tcp any any -> any any 1.1.1.1/11 8080 -> 2.2.2.2/22 9090

Options

(msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow: to_server; content:”NICK “; nocase; pcre:”/NICK .*USA.*[0-9]{3,}/i”; sid:2008124;)

Detailed explanation can be found in Suricata's official documentation.

DPI compiler has limited support for Suricata format. Field support is detailed in the following table:

Part

Keyword

Support

Action

Any

Accept any value. The application decides what to do with each action value.

Header

Protocol

Possible values: tcp, udp

Header

Port

Single port number or range (ex. 100:150)

Header

Address

Single IP address and netmask (ex. 1.2.3.4/5)

Header

Direction

  • -> - unidirectional: client-to-server OR server-to-client (default is client-to-server)

  • <> - bidirectional: client to server and server to client

Option

msg

Any string – use to identify the rule in case of match on the DPI

Option

http. (must come before content option)

uri, cookie, user_agent, host, server, referer, content_type, location, request_body, response_body

Option

http_ (must come after content option)

uri, cookie, user_agent, host, referer, content_type, request_body, response_body

Option

content modifiers

nocase, startswith, endswith, offset Negation (!) for content is not supported

Option

PCRE modifiers

  • i – PCRE is case insensitive

  • s – PCRE checks new line characters

  • A – A pattern must match at the beginning of a buffer

  • I – Makes PCRE match on the HTTP-raw-uri

  • C – Makes PCRE match on the HTTP-cookie

  • V – Makes PCRE match on the HTTP-User-Agent

  • W – Makes PCRE match on the HTTP-Host

  • P – Makes PCRE match on the HTTP-Content for CTS

  • Q – Makes PCRE match on the HTTP-Content for STC

Option

ip_proto

Supported values: 1 (ICMP), 6 (TCP), 17 (UDP)

Option

flow

from_client, to_client, from_server, to_server

Option

tls.

sni – server name indication

Option

dns.

query

Option

sid

Any number

Option

gid

Group rules to have OR dependency for rules with the same SID. By default, every GID is 0.

Note

If content or PCRE are provided without a field (e.g., http_uri), content/PCRE is searched on TCP/UDP payload according to the header protocol.

Execution

To execute the <tool name> :

Copy
Copied!
            

            
Usage: doca_<tool name> [DOCA Flags] [Program Flags]
DOCA Flags:
  -h, --help                 Print a help synopsis
  -v, --version              Print program version information
  -l, --log-level            <CRITICAL=20, ERROR=30, WARNING=40, INFO=50, DEBUG=60>
 
Program Flags:
  -i, --input                Full path to signature file
  -f, --format               Signature file format
  -o, --output               Full path to CDO file
  -c, --classtype            Path to the classtype file for priority in suricata file

For example:

Copy
Copied!
            

            
doca_dpi_compiler -i ./suricata_rules.rules -o compiler_output.cdo -f suricata

To run doca_dpi_compiler using a JSON file:

Copy
Copied!
            

            
doca_dpi_compiler --json [json_file]

For example:

Copy
Copied!
            

            
doca_dpi_compiler --json /tmp/doca_dpi_compiler.json

Arg Parser DOCA Flags

Refer to DOCA Arg Parser for more information.

Flag

Description

JSON Content

-h / --help

Print all information about the available options

N/A

-i / --input

Path to input files

Copy
Copied!
            

            
"input" : "/tmp/signatures.rules"

-o / --output

Path to output file

Copy
Copied!
            

            
"output" : "/tmp/signatures.cdo"

-f / --format

Signatures format

Copy
Copied!
            

            
"format" : "suricata"

-p / --print_rules

Add the RegEx rules being passed to the RXPC to the CDO as well (useful for debug)

Copy
Copied!
            

            
"classtype" : "/tmp/classtype_config.txt"

-v / --version

Print the current DOCA version in use

N/A

© Copyright 2025, NVIDIA. Last updated on Jul 10, 2025.
content here