nDPI

nDPI

Introducing nDPI 4.14: Added QoE (Quality of Experience) and New Protocols, Several Fixes

We’re excited to announce the release of nDPI 4.14, a maintenance release that also includes some cool new protocol dissectors and fixes. As you know, maintaining a DPI library is no easy task, and this release is no exception. We’ve worked hard to enhance existing dissectors, making them more robust and efficient. We’ve also cleaned up some outdated code and improved flow risks. We’ll be sharing more details about the plans for the next nDPI release at PacketFest. This might be the last release of the 4.x series, so we’re …
Cybersecurity

Using Network Fingerprints Beyond Cybersecurity

Last week ntop has been invited to give a talk at neacademy in Napoli, Italy. The topic was network fingerprints and nDPI. Network fingerprints such as JA4 have been made popular by cybersecurity that uses them to spot (with limited false positives) malware and use them to find traffic pattern similarities. During the talk, we explained that it’s possible to improve fingerprint reliability by combining some of them, in addition to use fingerprints for various other activities beyond cybersecurity including (but not limited to) traffic classification and micro-segmentation. This was …
nDPI

When Traffic Obfuscation Falls Short: nDPI vs NordWhisper NordVPN

In recent years, numerous virtual private networks (VPNs) have been introduced to the market. Some of these VPNs are standalone applications, while others are integrated into web browsers or other network applications. All of these VPNs promise users a private browsing experience by preventing users from being tracked and observed, particularly on public hotspots. Popular countermeasures detect these VPNs (often based on WireGuard or OpenVPN) and prevent their use to circumvent network policies. To enhance the detection and blocking of VPNs, companies have implemented various traffic obfuscation techniques to render …
Announce

Released nDPI 4.12: Obfuscated/Encrypted/Proxied Traffic and Fingerprints

This is to announce the release of nDPI 4.12, the first version after our 6 months release cycle announced earlier this year. The main changes of this release include support for encrypted/obfuscated/proxied in particular for OpenVPN and TLS, as well support for network fingerprints presented in November at the Sharkfest conference. For all details see the enclosed changelog.   Enjoy ! nDPI 4.12 (Dec 2024) Major Changes Added detection of encrypted/obfuscated OpenVPN flows (#2547, #2560) Added detection of encrypted/obfuscated/proxied TLS flows (#2553) Implemented nDPI TCP fingerprint (https://github.com/ntop/nDPI/commit/6b6dad4fdb2e60cd2887f7d381bcab2387ba9507) For further details …
Cybersecurity

A Deep Dive Into Traffic Fingerprints

Last week during SharkFest Europe 2024 we have presented what are network fingerprints and how they work. During the talk we (Luca and Ivan) have described how we have extended nDPI with support of network fingerprints, and how this work has been also integrated in Wireshark. We believe that fingerprints are an interesting technology that can help in better understanding the nature of traffic flows, detect inconsistencies on crafted traffic (e.g. a Windows box that pretends to impersonate an iOS device), and of course in cybersecurity. In the coming months …
nDPI

How First Packet Classification (FPC) Works in nDPI

Starting with nDPI 4.10, we have introduced a new feature called First Packet Classification (FPC). Goal of this technique is to address one problem of DPI that detects a protocol only when traffic has been dissected. This means that for TLS you need a few packets (usually between 5 and 10) for protocol dissection, as nDPI has to wait until TLS handshake packets are exchanged. This can be a problem in particular when DPI is used with inline traffic (e.g. on a IPS) as the decision about the application protocol …
nDPI

Released nDPI 4.10: 421 Protocols, 55 Flow Risks, Several Improvements, Getting Ready for FPC

This is to announce the release of nDPI 4.10. This release adds many improvements and new detected protocols. For this reason future releases will be scheduled more often on a 4 or 6 months (hard) basis in order to provide you constant updates on a predictable timeframe, Beside adding many dissectors, this release paves the way towards First Packet Classification (FPC) that is an attempt (for selected protocols) to detect the application protocol DPI at the first packet of a connection. Of course this is a challenge, and it won’t …
nDPI

Positioning ntopng vs nProbe for Traffic Analysis

Recently we have compared the use of nDPI in a realtime application (ntopng) and a near-realtime (nProbe). We have captured a short pcap with some mixed traffic and analysed it with both applications. The expectation was to find comparable results between the two applications, but this happened only partially. This blog posts explains the main differences between the two tools and why there are some discrepancies in results. In our tests, we have configured both nProbe and ntopng to analyze the same pcap and write results on two different ClickHouse …
cento

Advancements in Traffic Processing Using Programmable Hardware Flow Offload

This week we have presented at the IEEE HPSR (IEEE International Conference on High Performance Switching and Routing) our latest work that shows how nProbe can benefit of acceleration provided by modern SmartNICs to achieving multi-100 Gbit traffic processing (both passive and inline) on low-end servers while deep-packet inspecting traffic using nDPI. If you want to know more about it, you can view the presentation slides, or read thw paper. Your feedback is welcome. Enjoy ! …
nDPI

nDPI: Internals and Frequent Questions

All ntop tools are based on nDPI but not every use is familiar with nDPI internals. We often receive questions about it, and it’s time to answer frequent questions. Q: How nDPI implements protocol detection? A: nDPI includes a list of protocol dissectors (356 as of today) that are able to dissect protocols such as WhatsApp or TLS. As soon as a new flow is submitted to nDPI, the library applies in sequence dissectors that can potentially match the protocols (i.e. telnet is a TCP-based protocol and it will not …
nDPI

nDPI 4.8 is Now Available: Better Performance with Less Memory, Fuzzy Robustness, Many New Protocols

This is to announce the release of nDPI 4.8 that introduces various new protocols (in total 351 protocols and 53 risks), several internal changes to improve packet processing, extension of fuzzing to new components to improve coverage, new algorithms for handling lists with reduced memory and better performance. Protocol changes have been introduced not just for new protocols but also for keeping track of changes on exiting protocols such as QUIC and TLS. This said there are many changes under the hood that include contributions from many developers and that …
nDPI

How nDPI Improved Bloom Filters Implementation

A Bloom filter is. probabilistic data-structure used to test whether an element is present in a set. Blooms are affected by false positives, meaning that when a bloom returns true it does not mean that the searched element is part of the set but that it is “likely” to be part of the set. nDPI (and most tools ntop develops) uses Bloom filters in order to speed-up search operations by using a quick membership check that avoids slower checks. For instance if ntopng needs to know whether host A has …