Packet classification may include acquiring a rule which matches a specific field in the header of a packet according to a preset classification process, and performing an action specified by the acquired rule. Such packet classification may be used for various kinds of applications provided by network devices, such as access control, flow control, load balancing, and intrusion detection. Packet classification may base on a decision tree data structure. When a network device receives a packet, it may look up a rule set which matches the packet according to a classification process defined by the decision tree, and process the packet according to an action specified by a rule, such as dropping and forwarding the packet.