Say hello to nDPI 2.0 (with wireshark integration)

Posted · Add Comment

nDPI 2.0 is a major release that:

  • Consolidates the API, in particular for guessing new protocols or notifying nDPI that for a given flow there are no more packets to dissect.
  • Introduces nDPI support into Wireshark by means of a lua script and extcap plugin. Available via an extcap interface, the plugin sends Wireshark the nDPI-detected protocols by adding an ethernet packet trailer that is then interpreted and displayed inside the Wireshark GUI using the companion lua script. If you’re planning to attend the Sharkfest US 2017, we will present the tool in detail.
  • Introduces support for many new protocols and add enhancements on existing dissectors as described below.

New Supported Protocols and Services

  • STARTTLS
  • IMAPS
  • DNScrypt
  • QUIC (Quick UDP Internet Connections)
  • AMQP (Advanced Message Queueing Protocol)
  • Ookla (SpeedTest)
  • BJNP
  • AFP (Apple Filing Protocol)
  • SMPP (Short Message Peer-to-Peer)
  • VNC
  • OpenVPN
  • OpenDNS
  • RX protocol (used by AFS)
  • CoAP and MQTT (IoT specific protocols)
  • Cloudflare
  • Office 365
  • OCS
  • MS Lync
  • Ubiquity AirControl 2
  • HEP (Extensible Encapsulation Protocol)
  • WhatsApp Voice vs WhatsApp (chat, no voice)
  • Viber
  • Wechat
  • Github
  • Hotmail
  • Slack
  • Instagram
  • Snapchat
  • MPEG TS protocol
  • Twitch
  • KakaoTalk Voice and Chat
  • Meu
  • EAQ
  • iQIYI media service
  • Weibo
  • PPStream

Improvements to Existing Dissectors

  • SSH client/server version dissection
  • Improved SSL dissection
  • SSL server certificate detection
  • Added double tagging 802.1Q in dissection of vlan-tagged packets
  • Improved netBIOS dissection
  • Improved Skype detection
  • Improved Netflix traffic detection
  • Improved HTTP subprotocol matching
  • Implemented DHCP host name extraction
  • Updated Facebook detection by ip server ranges
  • Updated Twitter networks
  • Improved Microsoft detection
  • Enhanced Google detection
  • Improved BT-uTP protocol dissection
  • Added detection of Cisco datalink layer (Cisco hDLC and Cisco SLARP)

For future releases we have plans to make nDPI more flexible and rich in terms of categorization of protocols, as well enrich it with new protocols and extensions.

Shall you be interested to contribute to the library or join the team, please speak up!

Enjoy.