nDPI 5.0: Enhanced Traffic Fingerprinting and FPC, Many new Protocols

  • Home
  • nDPI
  • nDPI 5.0: Enhanced Traffic Fingerprinting and FPC, Many new Protocols

We are proud to announce the release of nDPI 5.0, the latest major update to our open-source Deep Packet Inspection (DPI) toolkit. This release introduces a powerful new fingerprinting systemunlimited protocol support, and enhanced detection capabilities that go beyond traditional methods.

Major Highlights

A Unified nDPI Fingerprint

With nDPI 5.0, we are introducing a new fingerprinting mechanism that combines multiple layers of flow metadata into a single, robust fingerprint. This unified fingerprint integrates:

  • TCP fingerprint
  • JA4 fingerprint
  • TLS SHA1 certificate hash (or JA3S if SHA1 is missing)

This new approach allows nDPI to identify and correlate encrypted or obfuscated traffic more accurately than ever before.
You can read more about the rationale and implementation in our article: Beyond JA3/JA4: Introducing nDPI Traffic Fingerprint

Detecting Hostnames Without DNS Resolution

In modern networks, especially with encrypted SNI and DoH/DoQ, not every hostname is resolved through DNS.
nDPI 5.0 introduces a new mechanism to detect (TLS/QUIC/HTTP) flows whose hostnames were not previously resolved via DNS, helping identify anomalies, evasive behaviors, or covert channels.

More details: When SNIs Cannot Be Trusted

(Almost) Unlimited Custom Protocols and Rules

nDPI 5.0 removes long-standing limits on the number of supported protocols. You can now define an almost unlimited (2^16) number of protocols, categories, and breeds at runtime.

Custom rules have also been extended with new matching options, allowing users to classify traffic by:

  • JA4 fingerprint
  • nDPI fingerprint
  • HTTP URL
  • Categories and breeds

Examples of custom rules can be found here.

API and Build System Changes

With this major release, we’ve modernized several core API and build components:

  • You now need to explicitly configure your build:./autogen.sh && ./configure --$OPTIONS && make
  • All protocols are enabled by default; the deprecated ndpi_set_protocol_detection_bitmask2() function has been removed.
  • The defines NDPI_MAX_SUPPORTED_PROTOCOLS and NDPI_MAX_NUM_CUSTOM_PROTOCOLS are gone — protocol limits are now dynamic and determined at runtime via ndpi_get_num_protocols().
  • The old static NDPI_PROTOCOL_BITMASK has been replaced with a dynamic ndpi_bitmask structure.
  • The return type of ndpi_detection_process_packet() has been simplified, and ndpi_extra_dissection_possible() has been removed.
  • Some pseudo-protocols (ADULT_CONTENTLLM, and ADS_ANALYTICS_TRACK) have been dropped and replaced with category-based classification.

These changes improve scalability, simplify the API, and make it easier to extend nDPI in future releases.

New Protocols and Services

This release adds support for many new and updated protocols and services, including:

  • Microsoft Delivery OptimizationRockstar GamesKick.comMELSECHamachiGLBPMatterTriStationSamsung SDPESPNAkamai, and many more.
  • New classification and sub-categories for Amazon/AWS services.
  • Around 30 new content categories, improving granularity in traffic analytics.
  • Cleanup of outdated or obsolete protocols (e.g., older games like Warcraft 3, Half-Life 2).

Full list available in the protocol documentation.

New Features and Algorithms
  • Out-of-tree builds are now supported.
  • Explicit flow classification states make debugging and analysis easier.
  • Protocol stacks are now supported — flows can include more than two protocols in classification.
  • New API functions for hex encoding/decoding and ranking-based traffic analysis.
  • ranking detection API helps determine relative rank changes between epochs, useful for analytics and anomaly detection.
New Configuration Options

New configuration parameters have been added, such as:

  • hostname_dns_check – detect flows without prior DNS resolution
  • metadata.tcp_fingerprint and metadata.tcp_fingerprint_format – enable raw TCP fingerprint export and format selection
  • http,metadata.resp.content_type / http,metadata.resp.server – toggle HTTP metadata export
  • tls,blocks_analysis – enable TLS block size analysis

Full documentation: Configuration Parameters

Improvements and Optimizations

This release includes hundreds of smaller improvements, optimizations, and refactorings:

  • Smarter protocol guessing and faster lookups
  • Updated lists for bots, scanners, and mining pools
  • Improved HTTP, TLS, and STUN dissectors
  • Faster initialization and memory management
  • Simplified API, better modularization, and improved internal consistency
  • Updated croaring to v4.3.6
  • Refined fingerprinting for Android and macOS
  • New flow risks like NDPI_MISMATCHING_PROTOCOL_WITH_IP
  • Added TLS block analysis for deeper encrypted flow insight

These refinements make nDPI 5.0 not only more capable but also faster and more memory-efficient.

By merging transport and encryption-level fingerprints into a unified identifier, supporting unlimited protocols, and enhancing flow intelligence, nDPI continues to lead in open-source DPI innovation. We invite developers, researchers, and integrators to explore the new release and share feedback or contributions. nDPI 5.0 is now available on GitHub.

The complete changelog is available here. This said stay tuned as we’re working at a new version of nDPI suitable for professionals, and companies willing to embed it in their products.

Enjoy!

Share

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe