Traditional static analysis struggles to detect functional inconsistencies—such as routing errors or authentication bypasses—between network protocol implementations and their RFC specifications. To address this, this paper proposes the first LLM-based agent framework for protocol conformance verification, integrating hierarchical semantic indexing with requirement-driven retrieval. Inspired by human auditing practices, the framework jointly models code semantics (via semantic summarization), RFC document understanding, dynamic contextual retrieval, and multi-level index construction to precisely localize and explain semantic-level functional deviations. Evaluated on six real-world protocol implementations, it identifies 47 functional defects with 81.9% precision; 20 of these were confirmed or fixed by developers. The framework significantly advances the state of functional correctness verification for protocol implementations.

Functional correctness is critical for ensuring the reliability and security of network protocol implementations. Functional bugs, instances where implementations diverge from behaviors specified in RFC documents, can lead to severe consequences, including faulty routing, authentication bypasses, and service disruptions. Detecting these bugs requires deep semantic analysis across specification documents and source code, a task beyond the capabilities of traditional static analysis tools. This paper introduces RFCScan, an autonomous agent that leverages large language models (LLMs) to detect functional bugs by checking conformance between network protocol implementations and their RFC specifications. Inspired by the human auditing procedure, RFCScan comprises two key components: an indexing agent and a detection agent. The former hierarchically summarizes protocol code semantics, generating semantic indexes that enable the detection agent to narrow down the scanning scope. The latter employs demand-driven retrieval to iteratively collect additional relevant data structures and functions, eventually identifying potential inconsistencies with the RFC specifications effectively. We evaluate RFCScan across six real-world network protocol implementations. RFCScan identifies 47 functional bugs with 81.9% precision, of which 20 bugs have been confirmed or fixed by developers.