Compendium

Network Protocol Description & Packet DSLs Family Index

13 min read

Network Protocol Description & Packet DSLs Family Index

type: language-family-index family: network-protocol-dsls languages_catalogued: 28 tags: [language-reference, family-index, network-protocol-dsls, p4, yang, netconf, openconfig, snort, suricata, zeek, wireshark, ebpf, nftables, openflow, kaitai, quic, tls]

Network Protocol Description & Packet DSLs — Family Index

Family overview

Network protocol DSLs are the textual languages that describe how packets are parsed, matched, forwarded, blocked, and understood. Unlike general-purpose languages, they are tightly coupled to a single problem shape — bytes-on-the-wire — and their grammars usually encode some combination of (a) bit-level field layouts, (b) match-action pipelines, and (c) protocol-state machines. The family spans seven decades, from the SMI/SMIv2 ASN.1 macros of 1980s SNMP, through the DNS zone file format (RFC 1035, 1987), to 2026’s programmable-dataplane languages running on Tofino-3-class silicon at multi-Tbps line rate.

The defining 2010s shift was the programmable-dataplane revolution. Until ~2014 every switch ASIC had a fixed parser: the chip understood Ethernet+IPv4+IPv6+TCP+UDP and that was it. P4 (POPL/SIGCOMM 2014, then P4_14, then P4_16 as the current canonical revision) replaced the fixed parser with a target-independent language that compiles to the chip’s match-action units, letting operators add new headers (VXLAN, Geneve, INT telemetry, custom MPLS-SR variants) without an ASIC respin. Barefoot/Intel Tofino, Intel/Mellanox SmartNICs, and Xilinx FPGAs all converged on P4_16 (current spec v1.2.5 stable / v1.5.0 working draft, Feb 2026). Broadcom answered with NPL on Trident-4/Jericho-2/Tomahawk silicon, which remains a live but smaller competitor.

Above the dataplane sits the YANG/NETCONF/RESTCONF stack (IETF, 2010+), the IETF’s answer to “vendor CLIs are not a config API.” YANG 1.1 (RFC 7950, 2016) is the data-modelling language; NETCONF (RFC 6241) and RESTCONF (RFC 8040) are the wire protocols that ferry YANG-validated trees. The OpenConfig consortium publishes vendor-neutral YANG models that Arista, Cisco, Juniper, Nokia, Ciena, and Dell now implement — the closest thing the industry has to a universal switch/router config API in 2026.

In parallel, three other DSL clusters serve different audiences: IDS/IPS rules (Snort 3, Suricata 8, Zeek scripting, YARA) for security-team pattern matching; kernel-network DSLs (eBPF, tcpdump/BPF expressions, nftables, iptables) for Linux packet handling; and packet-analysis / dissection languages (Wireshark Lua, Scapy, Kaitai Struct) for analysts who need to inspect or synthesise wire formats by hand. Application-layer protocols themselves — DNS zone files, MIB/SMIv2, SIP/SDP, HTTP/2 + HTTP/3 + QUIC frame grammars, and the TLS 1.3 handshake structured-message language — round out the family with grammars that, while embedded in RFC pseudocode rather than a separate compiler, function exactly like DSLs in practice.

In our deep library

None catalogued as standalone deep notes — every member of this family sits either inside an RFC, a vendor SDK, or a host-language library.

Cross-reference:

  • api-description — gRPC + Protocol Buffers are the dominant application-level network API DSL and overlap with this family for service-mesh / control-plane work; XML/JSON Schema infrastructure also lives there.
  • assembly-and-encoding — eBPF and classic BPF live in the kernel-assembly bucket but are cross-listed here as the de facto kernel-network DSL of 2026.
  • config-management — NETCONF/RESTCONF/YANG are increasingly invoked from Ansible, Terraform, and Nornir to drive device config; that family covers the orchestration side.
  • notation-spec — YANG, ASN.1, and SMIv2 are formal grammars for data modelling, parallel to the IDL/spec families catalogued there.
  • industrial-automation — OT networks (Modbus/TCP, Profinet, EtherNet/IP, OPC UA) overlap with this family at the protocol layer; many Wireshark dissectors and Snort rules target OT protocols specifically.
  • regex-flavors — Snort/Suricata pcre: modifiers and YARA $re strings ride on PCRE2.
  • python — host language for Scapy, the most-used Python packet-construction DSL; also the dominant control-plane scripting language for OpenFlow controllers (Ryu) and NETCONF clients (ncclient).
  • lua — host language for Wireshark dissector plugins.
  • c — Wireshark’s native dissector language; also the kernel-side language behind every BPF/eBPF program (compiled via clang -target bpf).

Tier 3 family table — Programmable dataplane

FormatFirst appearedOriginTypeStatus (2026)URL
P4_162017 (P4_16 spec) / 2014 (original P4 paper, SIGCOMM CCR)P4 Language Consortium → ONF; founders Pat Bosshart, Nick McKeown, Jennifer Rexford et al.Match-action pipeline DSL targeting programmable ASICs/SmartNICs/FPGAsActive; spec v1.2.5 stable + v1.5.0 working draft (Feb 2026); de facto industry standardhttps://p4.org/specifications/
P4_142014SamePredecessor revision; struct-of-tables modelLegacy; new code targets P4_16; P4_14 → P4_16 translator maintainedhttps://github.com/p4lang/p4-spec
NPL (Network Programming Language)2019Broadcom (Trident-4 launch)High-level language for Trident/Tomahawk/Jericho ASIC pipelines; competitor to P4Active but minority; spec v1.5.1; Broadcom-anchored, smaller ecosystem than P4https://github.com/nplang/NPL-Spec
P4Runtime2018P4.org API Working GroupgRPC-based control-plane API for P4 targets; not a DSL itself but the contract between control plane and P4 programActive, current spec v1.4https://p4lang.github.io/p4runtime/spec/main/P4Runtime-Spec.html
OpenFlow flow-mod / OF-DPA2008 (OF 1.0)Stanford (McKeown, Casado, Parulkar) → Open Networking FoundationFlow-rule DSL: 12-tuple match → action list; SDN’s first widely-deployed dataplane languageLegacy / niche; OF 1.5 final; Open vSwitch supports 1.0–1.5; superseded by P4 for new programmable siliconhttps://opennetworking.org/sdn-resources/openflow/

Tier 3 family table — Device config / data modelling

FormatFirst appearedOriginTypeStatus (2026)URL
YANG 1.12016 (RFC 7950); YANG 1.0 = RFC 6020 (2010)IETF NETMOD WGTree-structured data-modelling language for network device config + stateActive; canonical IETF data model language; 1.1 still current 2026, no 1.2 in sighthttps://www.rfc-editor.org/info/rfc7950
NETCONF2006 (RFC 4741) → 2011 (RFC 6241)IETF NETCONF WGXML-RPC-style config protocol over SSH/TLS; YANG-validated payloadsActive; widely deployed on Cisco IOS XE/XR, Junos, Arista EOS, Nokia SRhttps://www.rfc-editor.org/info/rfc6241
RESTCONF2017 (RFC 8040)IETF NETCONF WGRESTful HTTP sibling to NETCONF; same YANG models, JSON or XML encodingActive, lighter touch than NETCONF, gaining ground in cloud-native NetOpshttps://www.rfc-editor.org/info/rfc8040
OpenConfig models2014 (founded)OpenConfig consortium (Google, AT&T, BT, Microsoft, Comcast et al.)Vendor-neutral YANG model set for routing/switching/optical/wifiVery active; supported on Arista, Cisco, Juniper, Nokia, Ciena, Dell; closest thing to a universal device-config APIhttps://www.openconfig.net/projects/models/
MIB / SMIv21990 (SMI) / 1999 (RFC 2578, SMIv2)IETFASN.1-flavoured macro language for SNMP managed objectsLegacy but still ubiquitous on every box that supports SNMP; net-new device modelling has moved to YANGhttps://www.rfc-editor.org/info/rfc2578

Tier 3 family table — Packet analysis / dissection

FormatFirst appearedOriginTypeStatus (2026)URL
Wireshark dissector C1998 (Ethereal)Gerald Combs et al.Native C plugin API; one dissector function per protocolVery active; current Wireshark 4.4.x linehttps://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
Wireshark dissector Lua~2006Wireshark projectEmbedded Lua 5.3/5.4 (Wireshark 4.4+) for analyst-written dissectors without rebuildVery active; the standard way to add proprietary-protocol supporthttps://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html
Scapy DSL2003Philippe BiondiPython-internal eDSL for packet crafting/parsing/replay; IP()/TCP()/Raw(...) syntaxVery active; current 2.6.x; default tool for ad-hoc packet constructionhttps://scapy.readthedocs.io/
Kaitai Struct2015Mikhail Yakshin et al.YAML-based declarative binary-format DSL; compiles to parsers in C++/C#/Go/Java/JS/Lua/Nim/Perl/PHP/Python/Ruby/RustActive; widely used in protocol RE, malware analysis, forensicshttps://kaitai.io/
Construct (Python)2008Tomer FilibaPython-internal declarative DSL for binary structs; bidirectional parse/buildActive (community-maintained)https://construct.readthedocs.io/
PCAP / pcapng1988 (libpcap) / 2004 (pcapng)LBNL (libpcap) / Wireshark (pcapng)Capture-file container format; pcapng adds per-packet metadata + multi-interfaceActive; pcapng is the modern default; libpcap-style pcap still ubiquitoushttps://www.ietf.org/archive/id/draft-ietf-opsawg-pcapng-04.html

Tier 3 family table — IDS / IPS / firewall rules

FormatFirst appearedOriginTypeStatus (2026)URL
Snort 3 rule language2003 (Snort 2 rules) → 2021 (Snort 3 GA)Sourcefire → Cisco / TalosIDS/IPS rule DSL: alert tcp any any -> any 80 (msg:"..."; content:"..."; pcre:"..."; sid:NNN;)Very active; current Snort 3.12.1.0; new width/endian content modifiers (3.6.2.0); Talos rule sets gated on 3.12.0.0+https://docs.snort.org/rules/
Suricata rules2010OISF (Open Information Security Foundation)Snort-rule-compatible-plus-extensions; multi-threaded engine; native HTTP/2, TLS, file-extraction keywordsVery active; current 8.0.4 + 7.0.15 LTS (Mar 2026); de facto modern IDS enginehttps://docs.suricata.io/
Zeek scripting language1995 (Bro) / 2018 rebrand → ZeekVern Paxson, ICSI/LBNLEvent-driven scripting language for network-traffic analysis; event http_request(c, ...) { ... }Very active; current Zeek 8.1.x, 8.2 in devhttps://docs.zeek.org/en/current/scripting/index.html
Zeek signatures~2002SameLower-level pattern-matching DSL inside Zeek; pre-script byte/regex matchingActive alongside scriptshttps://docs.zeek.org/en/current/frameworks/signatures.html
YARA2007Victor M. Alvarez (VirusTotal)Pattern-matching DSL: rule X { strings: $s = "..." condition: $s }; primarily file-classification but used on PCAP/network artefactsActive; current 4.5.x; new YARA-X (Rust rewrite) reaching parity in 2026https://yara.readthedocs.io/
iptables2001 (kernel 2.4)Netfilter / Rusty RussellLinux firewall rule DSL; chain → table → match → targetLegacy maintenance; security fixes only; default backend on pre-2019 distroshttps://www.netfilter.org/projects/iptables/
nftables2014 (kernel 3.13)Netfilter / Pablo Neira AyusoModern Linux packet-filtering DSL; unifies iptables/ip6tables/arptables/ebtables; nft add rule inet filter input tcp dport 22 acceptDefault on Debian 10+, Ubuntu 20.10+, RHEL 8+, Fedora 18+; firewalld runs on tophttps://wiki.nftables.org/
Open vSwitch flow language (OpenFlow extensions)2009Nicira → VMware → Linux FoundationOF 1.0–1.5 + OVS extensions; ovs-ofctl add-flow ... / OVN logical flowsActive; OVS 3.7.x line (Feb 2026); OVN translates virtual-network configs into OVS flowshttps://www.openvswitch.org/
Cisco ACL / IOS firewall syntax1990sCiscoVendor-specific access-list DSL; standard + extended ACLs, MQC class-maps, ZBFW zone-pair policiesActive but increasingly fronted by NETCONF/OpenConfighttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book.html
Juniper firewall filter syntax1998 (Junos 1.0)JuniperVendor-specific filter DSL; from { source-address ...; } then { accept; count ...; }Active; OpenConfig + Junos PyEZ increasingly used as front-endshttps://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/topic-map/firewall-filter-overview.html
BPF / cBPF (tcpdump filter expression)1992 (BPF paper, McCanne & Jacobson)LBNLCapture-filter DSL: tcp port 80 and host 1.2.3.4; compiled to bytecodeActive, ubiquitous on tcpdump/libpcaphttps://www.tcpdump.org/manpages/pcap-filter.7.html
eBPF2014 (kernel 3.18 onward)Alexei Starovoitov / Linux netdevExtended BPF: 64-bit RISC-style ISA + verifier + JIT; networking via XDP, tc, sk_msg, sock_ops; usually written in C and compiled with clang -target bpf, also Rust (Aya) and Go (cilium/ebpf) frontendsVery active; engine of Cilium, Calico-eBPF, Falco, Pixie; 2026 features include BPF Arena + BPF tokenhttps://ebpf.io/

Tier 3 family table — Application / wire protocol DSLs

FormatFirst appearedOriginTypeStatus (2026)URL
DNS zone file (RFC 1035)1987Paul Mockapetris / IETFHierarchical resource-record text format: example.com. 3600 IN A 1.2.3.4Active; surface syntax unchanged for ~40 years; modern DNSSEC + RFC-1035bis adds RRSIG/NSEC/NSEC3 recordshttps://www.rfc-editor.org/info/rfc1035
TLS 1.3 handshake DSL2018 (RFC 8446)IETF TLS WGStructured-message presentation language inside the RFC; defines ClientHello/ServerHello/EncryptedExtensions/Finished record formatsActive; RFC 9325 (2022) supersedes RFC 7525 as best-current-practicehttps://www.rfc-editor.org/rfc/rfc8446.html
QUIC frame language2021 (RFC 9000)IETF QUIC WGFrame DSL inside QUIC packets: STREAM, ACK, CRYPTO, NEW_CONNECTION_ID, etc.Active; v1 = RFC 9000; QUIC v2 (RFC 9369, 2023) for version-negotiation hardeninghttps://www.rfc-editor.org/rfc/rfc9000.html
HTTP/3 frames2022 (RFC 9114)IETF HTTPbisHEADERS, DATA, PUSH_PROMISE, MAX_PUSH_ID, CANCEL_PUSH framing over QUIC streamsActive; widely deployed on CDNs (Cloudflare, Fastly, Akamai, Google)https://www.rfc-editor.org/rfc/rfc9114.html
HTTP/2 frames2015 (RFC 7540) → 2022 (RFC 9113, obsoletes 7540)IETF HTTPbisBinary frame language: HEADERS, DATA, SETTINGS, PRIORITY, GOAWAY, RST_STREAM, etc.Active; still dominant on most backendshttps://www.rfc-editor.org/rfc/rfc9113.html
SIP / SDP1999 (SIP RFC 2543) → 2002 (RFC 3261); SDP RFC 4566 (2006) → RFC 8866 (2021)IETF MMUSIC + SIP WGsText protocols for VoIP signalling (SIP) and session description (SDP)Active but slowly displaced by WebRTC + JSEP for browser/cloud use caseshttps://www.rfc-editor.org/info/rfc3261
NTPv4 / PTPv2.1 wire formats2010 (NTPv4 RFC 5905) / 2020 (IEEE 1588-2019 a.k.a. PTPv2.1)IETF NTP WG / IEEETime-synchronisation packet grammars; PTP especially relevant for telco/financial sub-microsecond syncActive; NTPv5 in IETF draft as of 2026https://www.rfc-editor.org/info/rfc5905
WireGuard config / interface description2018Jason DonenfeldSmall INI-style DSL for VPN tunnel definitions ([Interface], [Peer], AllowedIPs = ...)Active, in mainline Linux kernel since 5.6https://www.wireguard.com/quickstart/

Notable threads

  • The P4 vs NPL split is real but lopsided. P4_16 has the larger consortium (Intel/Tofino, Xilinx, Mellanox SmartNICs, AMD/Pensando, every academic compiler), the deeper toolchain (p4c, bmv2, p4runtime, p4info, ONOS/Stratum integration), and the standard control-plane API (P4Runtime). NPL has Broadcom and Broadcom’s silicon (Trident-4, Tomahawk-4/5, Jericho-2), which is a huge installed base — but the language ecosystem outside Broadcom is thin. The 2026 reality is that most operators write P4 against Tofino-class silicon and treat NPL as the Broadcom-only escape hatch when they need to program a Trident pipeline. After Intel’s exit from the Tofino business in 2022 the question of “who builds the next P4 ASIC” remains open, with AMD/Pensando, NVIDIA/Mellanox, and ARM-licensed silicon (Marvell, Cisco Silicon One) the likely heirs.

  • YANG/NETCONF eating CLI is real but slow. Every major NOS now ships NETCONF/RESTCONF (Cisco IOS XR/XE, Junos, Arista EOS, Nokia SR-OS, Cumulus/NVUE, Sonic) and OpenConfig coverage has expanded from BGP/OSPF/interfaces in 2014 to ~80% of the operator-relevant feature set in 2026. But operators still drive devices via a mix of native CLI, vendor-native YANG (e.g., openconfig-interfaces vs cisco-ios-xe-native-interfaces), and screen-scraped config templates. The ZTP / IBN (intent-based-networking) push is closing the gap, but the CLI-to-YANG transition has taken twice as long as the IETF expected — a pattern familiar from SNMP-to-NETCONF (also slow) and NETCONF-to-RESTCONF (also slow).

  • The Snort → Suricata succession is largely complete. Snort 3 ships, but Suricata is multi-threaded by design (Snort 3 added thread support late and gets less throughput per core), supports Snort-compatible rule syntax with a strict superset of keywords, parses HTTP/2, QUIC, TLS 1.3 SNI, and JA3/JA4 fingerprints natively, and is the default IDS in Security Onion, SELKS, and most modern SOC stacks. Snort retains a stronghold inside Cisco Secure Firewall (Firepower) where Talos rule sets are the commercial moat. Both Snort 3 and Suricata 7+ accept the same rule files in 95% of cases, so the “rule language” is effectively a shared standard with two engines.

  • nftables is finally the default; iptables is in long-tail decommissioning. Every major distro shipping after 2019 (Debian 10, Ubuntu 20.10, RHEL 8, Fedora 18) uses nftables as the kernel backend, and firewalld and iptables-nft shim layers translate legacy rules. iptables is still ubiquitous in Kubernetes-via-kube-proxy-iptables-mode deployments, but the eBPF-mode kube-proxy alternatives (Cilium, Calico-eBPF) are eating that share fast. Cilium notably skips both iptables and nftables in its CNI datapath — a third regime entirely.

  • eBPF is the surprise winner of the kernel-network DSL race. Originally a packet-filter (1992 BPF), then an extended-BPF observability/tracing engine (2014), eBPF in 2026 is the substrate underneath Cilium service mesh, Falco runtime security, Pixie observability, Katran load balancing, Cloudflare’s L4 DDoS protection, and a chunk of the AWS/GCP/Azure datapath. It’s not a DSL in the traditional sense — programmers write C and compile via Clang — but XDP + tc programs operate at packet granularity with verifier-checked safety, which puts eBPF in the same conceptual slot P4 occupies for switches: a programmable, verifiable packet-processing pipeline.

  • Kaitai Struct is the declarative binary-format DSL the network-RE community converged on. YAML-based, generates parsers for ~12 host languages from one .ksy file, with a visualiser that lets analysts iterate on a hypothesis against a captured packet in seconds. Used heavily for proprietary game-protocol RE, malware C2 dissection, IoT firmware analysis, and forensics. Construct (Python) and PyPacker fill similar niches but only for Python; Kaitai’s polyglot output is its differentiator.

  • The TLS 1.3 handshake (RFC 8446) is a model spec-driven crypto DSL. RFC 8446 uses a TLS-presentation-language grammar to define every record format down to the bit, which is exactly the kind of thing that should be machine-checked but mostly isn’t — although Project Everest (verified TLS in F*) and miTLS show what verified DSL-driven crypto looks like. RFC 9325 (2022) is the current best-current-practice update, obsoleting RFC 7525. The TLS 1.3 handshake is also notable as the most-deployed cryptographic protocol in human history, which makes the structured-message DSL inside the RFC arguably the most-implemented network DSL on Earth.

  • DNS zone files (RFC 1035, 1987) are one of the longest-lived DSLs in production. The surface syntax (@ IN SOA ns. hostmaster. (...)) is essentially unchanged in nearly four decades — DNSSEC adds RRSIG/NSEC/NSEC3/DS records and TYPEnnnn for unknown RRtypes, but zone files written in 1990 still parse cleanly in BIND/Knot/PowerDNS/NSD in 2026. By contrast its sibling DSL — the SMIv2/MIB language for SNMP — has been in slow eclipse since YANG’s rise, with most net-new device-state modelling work moving to YANG even on platforms that still expose SNMP for backward compatibility.

Citations

Graph View