nDPI

Open and Extensible LGPLv3 Deep Packet Inspection Library
nDPI is a ntop-maintained DPI toolkit. Released under the LGPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI to be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.
nDPI is used in ntop tools and various third party applications for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http on ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

metadata extraction
In addition to detecting the application protocol, nDPI also extracts and report relevant metadata associated with the layer-7 application such as URL, TLS certificate, Operating System etc.
Furthermore, since the trend of Internet traffic is going towards encrypted content often using TLS/QUIC, nDPI allows you to extract metadata from encrypted communications and also classify encrypted traffic, implementing the so called ETA (Encrypted Traffic Analysis).
Below you can find an example of metadata extracted from a real flow.

at a glance
Key Features
- Layer-7 application protocol detection (450+ supported protocols)
- Traffic categorization
- Flow risks detection
- Extensibility by means of configuration files (host, BPF, protocol, port, ...)
- ETA support (Encrypted Traffic Analysis)
- FPC support (First Packet Classification)
- TLV support network data serialization in binary format
Ideal for Every Environment
Use Cases
Network Traffic Classification
Identify the application or service behind each network flow (e.g., Skype, BitTorrent, Facebook, YouTube).
ntop applications (e.g. ntopng) and probes (nProbe and nProbe Cento) used by Enterprises and ISPs use nDPI to classify traffic and understand usage patterns.
nDPI not only offers DPI features, but it includes various features for traffic classification and analysis that enable you to create your application without having to implement complex analysis capabilities as they are already provided by nDPI
Content Filtering and Parental Control
Block access to certain categories of websites or applications.
ISPs or schools may integrate applications powered by nDPI to filter traffic for adult content, social media, or gaming platforms based on DPI detection.
Anomaly Detection
Identify unusual traffic patterns that may signal attacks, malware activity, or misconfigured devices.
nDPI is able to identify specific “risks” in network traffic. Also, combined with machine learning, can help detect zero-day threats or early signs of compromise by analyzing deviations in normal traffic patterns.
QoS and Bandwidth Management
Prioritize or limit traffic based on application type (e.g., throttle streaming services during work hours).
Network administrators use applications powered by nDPI for granular control, enabling fair bandwidth usage or prioritization of VoIP/video calls over P2P traffic.
Intrusion Detection and Prevention (IDS/IPS)
Detect potentially malicious activity within network traffic based on application-layer behavior.
Security applications and appliances embed nDPI to flag or block suspicious protocols or malformed packets that could indicate exploits or exfiltration, or to augment logs with Layer-7 metadata.
Specifications
Tech Specs
- Linux
- FreeBSD
- Windows x64 (including Windows 10/11)
- macOS
- RaspbianOS
- C API
- Extensible via configuration file
- IPv4/IPv6
- 450+ Layer-7 application protocols detected
models
Choose Your Model
Already included in all ntop applications.
Open Source
- nDPI is included in the ntop tools, however nothing prevents you from using it as a standalone DPI library. The source code can be downloaded from GitHub.
- DPI is a time-consuming activity as protocols change quite often. This means that it’s necessary to constantly update the code and add extensions. We would encourage anyone out there to help us adding or enhancing new protocols by sending contributions on GitHub and make them available to everyone free of charge.
- Source Code available on GitHub at github.com/ntop/ndpi