nDPI

nDPI

How to use nDPI from CLI to analyse network traffic
Most people use nDPI indirectly being it part of ntopng and many other non-ntop developed tools. However not many people know that nDPI can also be used from the command line to analyse network traffic. This is useful to create scripts to automate detection of specific issues. ndpiReader is a testing tool used to demonstrate the library features as well run validation tests. With this tool is also possible to generate a report in CSV format that can be analysed with tools such as q. Below you can find some …
nDPI

Introducing nDPI v3: Encrypted/Malware Traffic Analysis with Ease
Those who though that DPI died with the advent of traffic encryption should play with nDPI v3 that we’re introducing today. As already discussed, the pervasive use of encrypted traffic requires a new mindset when analysing network traffic. We decided to enhance nDPI adding the best traffic analysis techniques available today, in particular Cisco Joy, and facilities for calculating metrics such as entropy, standard deviation etc. that can be used to identify hidden traffic properties otherwise invisible. Thanks to all this, nDPI is now able to report if a SSH …
nDPI

How Encryption Changed Network Traffic (Monitoring). Finally.
For years traffic monitoring tools assumed traffic was in clear text. This because when the Internet was created all the main protocols such as DNS, HTTP, SMTP, Telnet, POP were in clear. With this practice it was easy to report let’s say the breakdown of DNS response codes, or detect force brute attacks on HTTP authentication. With the advent of traffic encryption, the (bad?) practice of inspecting traffic was no longer possible and network developers had several headaches. Those who were unable to see new opportunities with traffic encryption started …
nDPI

New Challenges in DPI Protocol Detection
In the early Internet days, each network protocol was designed for a specific purpose: SMTP for sending emails, HTTP for the web and so on. In order to make sure that implementations where compliant with the specification, there was an RFC per protocol describing it. If a connection was starting with a protocol, let’s say SMTP, for the duration of the connection that was a SMTP connection meaning that the protocol behind a given connection was persistent for its duration. This in the early days. Unfortunately the modern Internet does …
nDPI

TLS/SSL Analysis: When Encryption and Safety Are Not Alike
Most people think that SSL means safety. While this is not a false statement, you should not take it for granted. In fact while your web browser warns you when a certain encrypted communication has issues (for instance them SSL certificates don’t match), you should not assume that SSL = HTTPS, as: TLS/SSL encryption is becoming (fortunately) pervasive also for non web-based communications. The web browser can warn you for the main URL, but you should look onto the browser development console for other alerts (most people ignore the existence …
Announce

nDPI 2.8-stable is Out
This new release brings several fixes that make nDPI more stable. Such fixes involve especially DNS and HTTP traffic dissection. Here is the full list of changes: New Supported Protocols and Services Added Modbus over TCP dissector Improvements Wireshark Lua plugin compatibility with Wireshark 3 Improved MDNS dissection Improved HTTP response code handling Full dissection of HTTP responses Fixes Fixed false positive mining detection Fixed invalid TCP DNS dissection Releasing buffers upon realloc failures ndpiReader: Prevents references after free Endianness fixes Fixed IPv6 HTTP traffic dissection Fixed H.323 detection Other …
nDPI

Traffic Classification Using nDPI over DPDK
Last week we have attended the DPDK Summit North America 2018 and talked about how to use nDPI over DPDK, a kernel-bypass toolkit similar to PF_RING. For those who have not attended the presentation, they can read the presentation slides. As you will be read, nDPI is a cross platform deep packet inspection toolkit able to process about 10 Gbit of traffic with a single core on an Intel E3 CPU. Its code is portable across various architectures, you can use it from user space and kernel (not what we …
nDPI

Promoting Traffic Visibility: from Application Protocols to Traffic Categories in nDPI and ntopng
Often we receive emails asking question like: “how many protocols nDPI supports?”, “how do you position nDPI against commercial DPI toolkit A, B, C?”. Although these questions are reasonable, they do not grasp the significance of DPI. For years commercial toolkits have run the race for protocols: I have 200 protocols, I have 1000 protocols, I have 500. Then asking that is the meaning with the term “protocol” people list traffic from to sites like cnn.com or bbc.co.uk. But BBC is not a protocol but rather some traffic (for instance …
nDPI

Introducing nDPI 2.4
This is to announce the release of nDPI 2.4 that is an incremental release mainly introducing the concept of categories in addition to new dissectors and bug fixes. In a nutshell in order to limit the number of custom protocols defined as “if traffic goes from/to Internet domain X then this is protocol X” all these protocols have been grouped into a category. This eases application developers life as they do not have to handle thousand of protocols and simplify configuration. For instance instead of having malware site X, site …
Announce

Released nDPI 2.2.2: 7 New Protocols, Many Improvements
This is to announce a minor nDPI release update that adds a few fixes and introduces support for popular cloud protocols such as Google and Apple push service. Below you can find the complete changelog. Enjoy! Main New Features Initial experimental Hyperscan support ndpi_get_api_version API call to be used in applications that are dynamically linking with nDPI –enable-debug-messages to enable debug information output Increased number of protocols to 512 New Supported Protocols and Services GoogleDocs GoogleServices AmazonVideo ApplePush Diameter GooglePlus WhatsApp file exchage Improvements WhatsApp detection Amazon detection Improved Google …
nDPI

Is your Android phone safe? nDPI will tell you
Weeks ago I have added support for GoogleServices detection in nDPI and thus I wanted to test the code with real traffic. For this reason I started to play with a few Android phones in order to test the code on various OS releases and implementations. This is what I found out. The testbed was very simple: disable 3G/4G, start a packet sniffer application such a tcpdump/wireshark so that I could dump all traffic, connect the phone to a WiFi hotspot and wait< 1 minute without doing anything (start applications …
Announce

Announcing nDPI 2.2
Today we are glad to release nDPI stable version 2.2. This minor release present several fixes and adds support for a handful of new protocols. It also features custom application categories to allow users to create personalized mappings between protocols and categories. The full list of changes introduced with this release are: Main New Features Custom protocol categories to allow personalization of protocols-categories mappings DHCP fingerprinting HTTP User Agent discovery New Supported Protocols and Services ICQ (instant messaging client) YouTube Upload LISP SoundCloud Sony PlayStation Nintendo (switch) gaming protocol Improvements …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe