nDPI

In the paper How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic it is described a technique used in censorship to identify and block fully encrypted protocols. This technique, limited to TCP flows, uses a few techniques that are applied on the first TCP packet with payload, making it fast and convenient although with a small (< 1%)  percentage of false positives: Ex1: popcount(pkt) ≤ 3.4 or popcount(pkt) ≥ 4.6. len(pkt) len(pkt) Ex2: The first six (or more) bytes of pkt are [0x20, 0x7e]. Ex3: More than …

We have created nDPI to label network traffic and extract metadata such as the URL or TLS certificate information. nDPI is the layer on top of which ntop applications are sitting. This time we do not want to talk about nDPI internals but rather use it to monitor Internet traffic. For this reason we have taken traffic from an Italian broadband (no mobile) ISP, and used ntopng + nDPI to monitor the Internet traffic produced by residential and business users. Below you can find the results for social networks and …

This is to announce the release of nDPI 4.6 that introduces various improvements with respect to the previous release. Many things changed in this release in terms of number of protocols and robustness thanks to code fuzzing introduced in this release. nDPI now natively supports 332 protocols and 50 flow risks, this in addition to protocols that can be configured using the protocol file. Protocol metadata extraction has been improved in various protocols as well DGA detection in host names. Below you can find the complete changelog. Enjoy !   …

In the past couple of years we have added the concept of flow risk in nDPI that allows issues with flows to be detected (for instance expired TLS certificates). Unfortunately we need to silence some of these risk exceptions as some hosts/domain names produce risks that need to be ignored (for instance an outdated device that cannot be replaced and that has been properly protected by the security policies). In ntopng you can disable them clicking on the flow alert that will open a window as the one below,   …

One of the newest features of nDPI 4 is the ability to identify flow risks. Unfortunately sometimes you need to add exceptions as some of those risks, while correct, need to be ignored. Examples include: An old device that is speaking an outdate TLS version but that you cannot upgrade, and that you have done your best to protect. A host name that looks like a DGA but that it isn’t. A service running on a non-standard port but that works perfectly as is. In order to address the need …

This is to announce nDPI 4.0. With this new stable release we have extended the scope of nDPI that was originally conceived as a toolkit for detecting application protocols. nDPI is now a modern library for packet processing that in addition to DPI it includes self-contained, efficient (both in memory and processing speed) streaming versions of popular algorithms for data analysis including: Data Forecasting and Anomaly Detection Single, Double, Triple (Holt-Winters) Exponential Smoothing RSI (Relative Strength Index) Data Binning, Clustering, and Similarity Evaluation Network Data Analysis Jitter Entropy GeoIP Data …