Correct use of different protocol types

[TxS-7]

Hello,

I'm using nDPI 4.8 Stable release for a traffic classification application. Performance is important for this application so I try to minimize the number of classification attempts per flow.

More specifically, when a traffic flow is classified using either ndpi_protocol.master_protocol or ndpi_protocol.app_protocol (ndpi_typedefs.h), I consider the classification as complete and do not retry.

For this application, what do you believe the correct strategy would be as to the different "protocol types" offered by the library: master_protocol, app_protocol, protocol_by_ip?

Currently, I limit the use of protocol_by_ip to cases where the app_protocol is TLS and the reason is that if I always used protocol_by_ip, the flow would be classified using the server's IP before even the TLS handshake with the host name is exchanged.

Thank you.