Network communications or flows between endpoints may be classified, e.g. by application, so that routing and quality of service (QoS) policies may be applied. For example, a first flow may be classified as real time video or voice over Internet protocol (VoIP) traffic, and receive higher priority routing and QoS; and a second flow may be classified as email traffic, and receive lower priority routing and QoS. This helps balance network bandwidth among different services and applications, to meet the needs of each service.
It may be important in many implementations to classify the first packet of a flow or communication, so that network paths may be properly selected and intermediary devices may be properly configured. However, classifying packets may require deep packet inspection (DPI) or other analysis functions that may add significant latency to communications. For example, in some implementations, DPI may not be completed until the flow has been established between the endpoint devices (and between various intermediary devices, including network address translation (NAT) devices, firewalls, etc.), particularly in implementations in which the first packet of a communication may include limited information (e.g. a transport control protocol synchronization packet (TCP SYN) which may not necessarily include a payload above OSI layer 4 (the transport layer)), making it difficult to identify applications. It may be difficult or impossible to change flow parameters or paths (e.g. to utilize different intermediary devices) after the flow is established, even if the DPI results indicate that the flow should be configured differently. Conversely, delaying establishment of the flow or buffering packets until full classification may be performed may result in long startup times for communications or transactions, frustrating users and delaying further processing tasks.