nDPI

Last week we have attended the DPDK Summit North America 2018 and talked about how to use nDPI over DPDK, a kernel-bypass toolkit similar to PF_RING. For those who have not attended the presentation, they can read the presentation slides. As you will be read, nDPI is a cross platform deep packet inspection toolkit able to process about 10 Gbit of traffic with a single core on an Intel E3 CPU. Its code is portable across various architectures, you can use it from user space and kernel (not what we …

This is to announce the release of nDPI 2.4 that is an incremental release mainly introducing the concept of categories in addition to new dissectors and bug fixes. In a nutshell in order to limit the number of custom protocols defined as “if traffic goes from/to Internet domain X then this is protocol X” all these protocols have been grouped into a category. This eases application developers life as they do not have to handle thousand of protocols and simplify configuration. For instance instead of having malware site X, site …

Weeks ago I have added support for GoogleServices detection in nDPI and thus I wanted to test the code with real traffic. For this reason I started to play with a few Android phones in order to test the code on various OS releases and implementations. This is what I found out. The testbed was very simple: disable 3G/4G, start a packet sniffer application such a tcpdump/wireshark so that I could dump all traffic, connect the phone to a WiFi hotspot and wait< 1 minute without doing anything (start applications …

Last week at Sharkfest EU we have shown how you can use nDPI and Lua scripting to turn Wireshark into a traffic monitoring tool. We remind you that all the ntop contributions to Wireshark are open source and can be found on github. Enjoy! …

This week at Sharkfest US 17, we have presented the ntop contributions to wireshark. In particular: How to use nDPI to complement Wireshark traffic classification How to remote capture on a remote box at 10/401/100 Gbit and stream traffic securely to wireshark via SSH Same as above but extracting packets from TBytes (of pcaps)  using pcap indexes How to turn wireshark into a traffic monitoring tool able to measure traffic and network latency. For those who have not attended the session (recording will appear soon on the sharkfest web site), …

This is to announce the release of nDPI 1.8. In this version we have updated many protocol dissectors, simplified the API as well started to introduce changes that will be further improved in future versions. As usual we have changed many protocols dissectors. The whole changelog can be found below. Many thanks to all contributors! Changelog Recoded DNS and QUIC dissectors Code passed checks of static code analysers Added API wrappers (to be used in apps using nDPI) for substring-search ndpi_init_automa() ndpi_free_automa() ndpi_add_string_to_automa() ndpi_finalize_automa() ndpi_match_string() set_ndpi_malloc() set_ndpi_free() Added new ndpi_detection_giveup() …