In November 2024, CableLabs released NetLLM: Your Handy Automated Network Assistant. NetLLM is a set of tools that collects metrics from the network and passes them as text to an out-of-the-box Large Language Model (LLM) trained on natural language for analysis.  This approach works well and has the added benefit of allowing people to communicate with their router in conversational English.

The next step, which is the subject of this blog post, was to train a model on network communication itself rather than a text description. Our model is trained on the raw network packets, treating the sequence of packets as a language by handling each packet as a sentence in the context of the overall network conversation. This approach led to a custom architecture that allows us to build a real intuition for understanding network traffic in more detail.

What We Made

Our model takes in a Packet CAPture (PCAP) and outputs its understanding of what’s happening in that network traffic in the form of a vector of numbers (or embedding) for each packet. In LLMs, words and ideas are internally represented using embeddings, which are tuned to reflect the ideas they represent. If you think of packets as their own ideas, then you can represent these ideas numerically too, with embeddings, which can be thought of as translations of packets on the network to something that a machine can understand.

As a test, we used these embeddings to classify traffic into categories, focusing on two initial use cases: identifying the type of IoT devices on a network and detecting security attacks. For each of these use cases, the embeddings were transformed to create a probability distribution for the target classes, which allowed us to classify the traffic into two or more categories (or labels). Our categorization success rate with each of these use cases was over 90%.

Architecture Overview

To capture the full meaning of a PCAP, the most important aspects are the timing and content of each packet and the relationship between packets; the architecture needs to reflect this.

The first step is to break each packet down into its constituent protocols, each of which is passed through a dedicated layer that has learned to extract features specific to that protocol. The packets are then sent through a Long Short-Term Memory (LSTM) network, which is a type of machine learning layer that excels at extracting temporal relationships between time steps and transforming them to take previous time steps into account. We then pass these time-aware representations through a self-attention layer that excels at identifying the role and meaning of each packet in the broader context of the surrounding packets.

Figure 1: A high-level overview of the path that a packet takes as it is processed by our model and what it represents at each step

The output of the model, the final embedding, is a list of embeddings, one per packet, that is a learned understanding of the original PCAP. To see how you can use these embeddings, imagine a classification task. These embeddings would be used to predict which class a given PCAP belongs to. For example, if we trained the model to predict which type of IoT device we’re looking at, the output of this classification would be a probability distribution over the potential labels (e.g., 80% smart camera, 10% smart lightbulb, and 10% other).

When designing our architecture, we wanted to make sure that our model could exist where it would be most effective. Many network analysis tools are quite large and live in the cloud, which has a few potential drawbacks:

• There are privacy concerns in sending potentially confidential information up to the cloud.
• Sending all traffic up to the cloud is a huge waste of upstream bandwidth.
• The analysis system fails if the backhaul goes down and the cloud cannot be reached.

We focused on a local solution, making the model as lightweight as possible, so that it could run on CPE and function even without access to the wider internet.

Continued Development

But there is more that can be done with these embeddings!

The Packet Transformer. When we take a wider view of the PCAP Comprehension Module in Figure 1 above, it looks similar to the encoder block of a transformer. For natural language processing (NLP) classification tasks, in models like BERT, the encoder is used to understand and then classify the input, just like our model. To produce text, most modern LLMs use a decoder-only architecture. This works well for text because text doesn’t need any additional processing or understanding. So, if we feed our embeddings into the decoder (along with text and any other relevant measurements), we would be able to create a Multi-Modal LLM that has a deep understanding of network communications and can explain and answer questions about it.

The Network Agent. This PCAP Comprehension module could also be used as a network comprehension agent inside a larger agentic system. In this way, the comprehension agent would be invoked when the coordinating agent thinks there is a need to look in detail at network traffic.

Building for the Future

As our industry moves forward, flexible and resilient systems that can communicate better with consumers are a necessity. Systems that both understand networking and diagnose/fix issues can solve customers’ problems more quickly and save on customer service costs.

This innovative approach is powerful, lightweight and able to run directly on CPE. So, instead of trying to squeeze as much compute power into hardware as possible (which is expensive, power-hungry and time-consuming), we can work smarter by using this novel architecture on any existing hardware.

To continue to develop our model, we need more data. If you are a CableLabs member or part of our vendor community, this is where you can help. If you have any labeled or unlabeled PCAPs and would like to contribute to this model development or collaborate, let us know.

If you’ve ever spent any time online, you’ve probably uttered some variation of this: “What’s happening with my internet!?” Whether or not you’re technically proficient, your first step toward fixing your network problem is always the same: Shout your frustration into the void.

If you’re a networking professional, you might then open Wireshark and manually search for the culprit — and maybe even find a solution. However, if you don’t have a networking background, you’ll probably have to call customer support and schedule a technician to come over and solve the problem. But that route can be expensive and time-consuming. Is there a reliable way to fix networking problems that pop up while also avoiding the cost of customer support, all while providing a great experience for the user?

The Response From the Void

The solution to this hair-pulling is a CableLabs prototype called NetLLM — your home networking assistant. Powered by a large language model (LLM) that lives on your home router, NetLLM looks at your network activity and any other relevant information (e.g., configuration files, records of past incidents, network metrics such as signal strength and channel noise). Then, it explains the problem in greater detail and attempts to fix it.

Your entire interaction with this automated network assistant could be a one-off response, or it could develop into a conversation in which you and NetLLM discuss the problem and try to address it — all in plain English.

If the issue cannot be resolved, NetLLM will at least add some transparency to the errors and make them less cryptic by explaining them in less technical terms (“Ohhhh, that’s what a DNS error is”). You can also choose to record the interaction so that you can send that information to customer support when you call in, thus providing the important context about the network conditions that caused the problem and what steps have been taken already.

Networking as a Language

The key to NetLLM is that it treats network communication as its own language.

Like any other language, each networking protocol has its own system of syntax and semantics. However, unlike the syntax of human languages, networking syntax is much more structured; the packets themselves and the packet sequences are organized in a very specific way that provides semantic meaning. Thinking of computer communication as a language is the key to using an LLM to decipher problems in a network — just as an LLM can be used to explain and interpret a conversation between humans.

It’s important to note that the real power of NetLLM isn’t the chat interface it uses to converse with users but rather the network LLM it uses for the problem diagnosis itself. The training will be performed with a curated dataset of question-and-answer pairs about network traffic from a wide variety of sources, including Internet of Things (IoT) devices, various network attacks and regular traffic.

Network Configuration and Management

In addition to being trained to recognize and understand network traffic, NetLLM has also been trained to manage and configure a network. For a home user, network management entails updating network settings to fix user issues (e.g., manipulating firewalls, resetting DNS, remedying jittery video calls). So, if any of the problems found in the diagnostic step are the result of configuration issues, NetLLM will attempt to fix those.

A user can also request a network configuration change such as changing a password or creating a guest network in simple English without needing to pull up the router’s configuration user interface (UI).

Future Development

Where do we go from here? In addition to being a reactive tool that a user can utilize manually to seek network assistance, the goal is for NetLLM to be a proactive feature and run as a daemon in the background, monitoring your network both for optimizations and security threats.

This is the ultimate in customer service: solving problems before the customer is even aware of them!

Your IT Buddy

This automated network assistant has the potential to be a one-stop shop for everything happening in your home network and the wider internet, all while protecting you from potential problems. With its diagnosis, configuration, and management capabilities, NetLLM gives you full insight into your network and allows for easy configuration — all in understandable English.

Even if you are a networking professional and have the skills to fix problems on your own, NetLLM can save you time. From advanced features such as setting up firewalls and fixing problematic video calls, to more everyday functionality such as managing passwords and monitoring your network, this CableLabs tool makes network troubleshooting and management as easy as asking a very talented IT friend for help.