License Tiers
Rockfish uses a tiered licensing model to enable different feature sets.
Tier Comparison
| Feature | Community | Basic | Professional | Enterprise |
|---|---|---|---|---|
| Core Features | ||||
| Packet capture | Yes | Yes | Yes | Yes |
| Flow generation | Yes | Yes | Yes | Yes |
| Parquet export | Yes | Yes | Yes | Yes |
| S3 upload | Yes | Yes | Yes | Yes |
| Schema | ||||
| v1 (Simple - 54 fields) | Yes | Yes | Yes | Yes |
| v2 (Extended - 60 fields) | - | - | Yes | Yes |
| Application Detection | ||||
| nDPI labeling | - | Yes | Yes | Yes |
| nDPI risk scoring | - | Yes | Yes | Yes |
| Network Intelligence | ||||
| GeoIP country/city/ASN | - | Yes | Yes | Yes |
| GeoIP AS organization | - | - | Yes | Yes |
| nDPI fingerprints (JA4, JA3s, TCP) | - | - | Yes | Yes |
| Customization | ||||
| Custom observation name | - | Yes | Yes | Yes |
| Advanced Features | ||||
| Anomaly detection | - | - | - | Yes |
| ML model integration | - | - | - | Yes |
Feature Details
Community Tier
Free tier with basic flow capture:
- Standard 5-tuple flow generation
- Parquet export (v1 schema)
- S3 upload support
- AF_PACKET high-performance capture
- Fragment reassembly
Basic Tier
Adds application visibility and GeoIP intelligence:
- All Community features
- nDPI application labeling
- nDPI risk scoring and categories
- GeoIP lookups (scountry, dcountry, scity, dcity, sasn, dasn)
- Custom observation domain name
- 54 fields total
Professional Tier
Adds AS organization names and device fingerprinting:
- All Basic features
- Extended schema (60 fields)
- GeoIP AS organization names (sasnorg, dasnorg)
- nDPI fingerprints (JA4 client, JA3 server, TCP fingerprint, composite)
Enterprise Tier
Full feature set:
- All Professional features
- Anomaly detection (HBOS)
- ML model integration
- SaaS schema (63+ fields)
- Correlation with rockfish_sensor
Schema Comparison
v1 (Simple) - Community/Basic
54 core fields:
- Flow identification (flowid, obname)
- Timing (stime, etime, dur, rtt)
- Addresses (saddr, daddr, sport, dport)
- Traffic (spkts, dpkts, sbytes, dbytes)
- TCP state (iflags, uflags, sequences)
- Payload analysis (entropy, packet sizes)
- GeoIP: scountry, dcountry, scity, dcity, sasn, dasn (Basic tier)
- nDPI results (Basic tier)
v2 (Extended) - Professional/Enterprise
60 fields (v1 + 6 additional):
- GeoIP AS organization: sasnorg, dasnorg
- nDPI fingerprints: ndpi_ja4, ndpi_ja3s, ndpi_tcp_fp, ndpi_fp
v3 (SaaS) - Enterprise
63+ fields:
- All v2 fields
- Anomaly scores
- ML predictions
- Correlation IDs
License Enforcement
Parquet Metadata
Licensed files include metadata for validation:
rockfish.license_id: "lic_abc123"
rockfish.tier: "professional"
rockfish.company: "Example Corp"
rockfish.observation: "sensor-01"
MCP Validation
Configure license validation in MCP:
sources:
# Require valid license
prod_flows:
path: s3://data/flows/
require_license: true
# Restrict to specific licenses
enterprise_flows:
path: s3://data/enterprise/
require_license: true
allowed_license_ids:
- "lic_abc123"
Obtaining a License
Contact [email protected] for:
- License quotes
- Trial licenses
- Enterprise agreements
- Volume discounts