Configuring nDPI for Custom Protocol Detection

Posted · Add Comment

The first release of nDPI was basically a refresh of the OpenDPI library on which nDPI is built. Over the past few months we have made many changes including:

  • Port to various platforms including Linux, MacOSX, Windows and FreeBSD.
  • Enhancement of the demo pcapReader application both in terms of speed/features and encapsulations supported (for instance you can now analyse GTP-tunneled traffic).
  • Ability to compile nDPI for the Linux kernel so that you can use it for developing efficient kernel-based modules.
  • Various speed enhancements so that nDPI is now faster than its predecessor.
  • Added many protocols (we not support almost 160 protocols) ranging from “business” protocols such as SAP and Citrix, as well as “desktop” protocols such as Dropbox and Spotify.
  • Ability to define port (and port range)-based protocol detection, so that you can complement protocol detection with classic port-based detection.

In addition to all this, we have recently added in nDPI the ability to support sub-protocols using string-based matching. This is because many new sub-protocols such as Apple iCloud/iMessage, WhatsApp and many others use HTTP(S) can be detected by decoding the SSL certificate host or the HTTP “Host:”. Thus we have decided to embed in nDPI an efficient string-matching library based on the popular Aho-Corasick algorithm for matching hundred of thousand sub-strings efficiently (i.e. fast enough to sustain 10 Gbit traffic on commodity hardware). You can now specify sub-protocols at runtime  using a configuration file with the following format:

# Subprotocols
# Format:
# host:"<value>",host:"<value>",.....@<subproto>

in addition to port-based protocol detection using the following format:

#  Format:
#  <tcp|udp>:,<tcp|udp>:,.....@

You can test your custom configuration using the pcapReader (use -p option)  application or enhance your application using the ndpi_load_protocols_file() nDPI API call.

This said, every month new protocol are introduced and become popular, thus nDPI needs constant maintenance and enhancement. We need your help for developing new protocol dissectors. Please contact us if you want to join the nDPI team.

See also: