nDPI

nDPI

How nDPI Identifies Fully Encrypted Protocols

In the paper How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic it is described a technique used in censorship to identify and block fully encrypted protocols. This technique, limited to TCP flows, uses a few techniques that are applied on the first TCP packet with payload, making it fast and convenient although with a small (< 1%)  percentage of false positives: Ex1: popcount(pkt) ≤ 3.4 or popcount(pkt) ≥ 4.6. len(pkt) len(pkt) Ex2: The first six (or more) bytes of pkt are [0x20, 0x7e]. Ex3: More than …
nDPI

Using nDPI to Monitor Streaming, Messaging and Social Network Traffic

We have created nDPI to label network traffic and extract metadata such as the URL or TLS certificate information. nDPI is the layer on top of which ntop applications are sitting. This time we do not want to talk about nDPI internals but rather use it to monitor Internet traffic. For this reason we have taken traffic from an Italian broadband (no mobile) ISP, and used ntopng + nDPI to monitor the Internet traffic produced by residential and business users. Below you can find the results for social networks and …
nDPI

Welcome to nDPI 4.6: code fuzzing, new protocol and flow risks

This is to announce the release of nDPI 4.6 that introduces various improvements with respect to the previous release. Many things changed in this release in terms of number of protocols and robustness thanks to code fuzzing introduced in this release. nDPI now natively supports 332 protocols and 50 flow risks, this in addition to protocols that can be configured using the protocol file. Protocol metadata extraction has been improved in various protocols as well DGA detection in host names. Below you can find the complete changelog. Enjoy !   …
nDPI

HowTo Monitor Zoom Performance and Video/Call Quality

Zoom is a popular platform for video communications and team collaboration. As many other cloud services, network administrators need to supervise Zoom network traffic usage. DPI toolkits such as nDPI are useful for identifying Zoom traffic for supervising the network bandwidth used by your Zoom calls. Recently we have took advantage of this research work to improve Zoom protocol dissection in order to Recognise Zoom video, audio, and screen sharing streams (previously they were classified just with a generic Zoom label). In addition to existing metrics such as bandwidth or …
Cybersecurity

Introducing nDPI 4.4: Many New Protocols, Improvements and Cybersecurity Features

This is to introduce nDPI 4.4 that includes the development activities of the last six months. As with previous releases we are improving protocol support, automatic testing to harden the code for critical environments, and introducing new cybersecurity features for detecting risks and extracting metadata from protocols. Our idea is to make nDPI more user friendly, going beyond protocol detection, and adding the ability to interpret traffic and tell what is wrong and why. You can read the full changelog, or find below an excerpt of the most relevant changes. …
nDPI

How to Configure Flow Risk Exclusions in nDPI and ntopng

Flow risks are the mechanism nDPI implements for detecting issues in network traffic whose theoretical design is documented in this paper Using Deep Packet Inspection in CyberTraffic Analysis we have written last year. While we are reworking the definition of risk exceptions in ntopng to make them fully configurable with a matter of clicks, you can easily configure risk exceptions by adding them to a protos.txt file. Such file can be passed to ntopng on the configuration file by adding a line such as --ndpi-protocols=/etc/ntopng/protos.txt and creating the /etc/ntopng/protos.txt file. …
nDPI

You’re invited at FOSDEM 2022 (5 and 6 February) in the ntop stand

As most of our users know, every year we were used to meet the world of open source at FOSDEM in Brussels. Due to pandemic, this yearly event has been moved online so we invite you to attend it wherever you are. You can find more info at this page, but in summary we have two main events On Saturday we plan to show the latest tools we have developed, including ntopng 5.2 that we have just released. The idea is to highlight the main tool features, and discuss about …
nDPI

HowTo Define nDPI Risk Exceptions for Networks and Domains

In the past couple of years we have added the concept of flow risk in nDPI that allows issues with flows to be detected (for instance expired TLS certificates). Unfortunately we need to silence some of these risk exceptions as some hosts/domain names produce risks that need to be ignored (for instance an outdated device that cannot be replaced and that has been properly protected by the security policies). In ntopng you can disable them clicking on the flow alert that will open a window as the one below,   …
nDPI

A Gentle Introduction To Timeseries Similarity in nDPI (and ntopng)

Introduction Let’s start from the end. In your organisation you probably have thousand of timeseries of various nature: SNMP interfaces, hosts traffic, protocols etc. You would like to know what timeseries are similar as this is necessary for addressing many different questions: Host A and host B are two different hosts that have nothing in common but have the same traffic behaviour. Host C is under attack: who else is also under attack? SNMP interface X and interface Y are load balancing/sharing the same traffic: is their timeseries alike or …
nDPI

Configuring nDPI Flow Risk Exceptions

One of the newest features of nDPI 4 is the ability to identify flow risks. Unfortunately sometimes you need to add exceptions as some of those risks, while correct, need to be ignored. Examples include: An old device that is speaking an outdate TLS version but that you cannot upgrade, and that you have done your best to protect. A host name that looks like a DGA but that it isn’t. A service running on a non-standard port but that works perfectly as is. In order to address the need …
nDPI

Introducing nDPI 4.0: DPI for CyberSecurity and Traffic Analysis

This is to announce nDPI 4.0. With this new stable release we have extended the scope of nDPI that was originally conceived as a toolkit for detecting application protocols. nDPI is now a modern library for packet processing that in addition to DPI it includes self-contained, efficient (both in memory and processing speed) streaming versions of popular algorithms for data analysis including: Data Forecasting and Anomaly Detection Single, Double, Triple (Holt-Winters) Exponential Smoothing RSI (Relative Strength Index) Data Binning, Clustering, and Similarity Evaluation Network Data Analysis Jitter Entropy GeoIP Data …
Cybersecurity

How to Spot Unsafe Communications using nDPI Flow Risk Score

nDPI it is much more than a DPI library used to detect the application protocol. In the past year, nDPI has grown in terms of cybersecurity features used to detect threats and network issues leveraging on the concept of flow risk. Each nDPI-analysed flow has associated a numerical flow risk that in essence is a bitmap with a bit set to 1 whenever a risk has been detected for such flow. The list of (to date) supported flow risks are: HTTP suspicious user-agent HTTP numeric IP host contacted HTTP suspicious …