Combining nDPI and Wireshark for Cybersecurity Traffic Analysis

Posted · Add Comment

At the upcoming Sharkfest Europe 2021 we’ll talk about using Wireshark in cybersecurity. Part of the talk will focus on nDPI and Wireshark integration. Since the last release nDPI features flow risk analysis, that is basically a numerical indication of potential risks associated with a network communication ranging from ‘TLS Certificate Expired’ to more complicated ‘Suspicious DGA domain name’ and ‘SQL injection’. You can find a comprehensive list of increasingly growing risks here.

For the impatiens, this is a quick guide on how to play with this integration.


Download and install nDPI, including the script ndpi.lua used by Wireshark to talk with nDPI. You can find full installation instructions at the nDPI/Wireshark page.


Open a pcap file or do live capture using the nDPI extcap plugin that enabled Wireshark to use nDPI.

You can do that by clicking on the wheel icon next to the nDPI interface and selecting a pcap or an interface name from the dialog window that will open after the click on the icon.

Once you click on start Wireshark will operate as usual, start dissecting packets. The above plugin will add a new header highlighted in red in the picture below.

For all flows, nDPI will report the application protocol. Furthermore for those flows for which a non zero risk has been identified, the flow risk is reported both in string (suitable for humans) and numeric (suitable for creating Wireshark filtering). The numerical value is a bitmap with bit set to 1 for the corresponding identified risk. In the above picture we show an example dissecting Anydesk traffic. You can find testing pcaps in the nDPI test regression tests directory.

We hope you will attend SharkFest Europe for learning more about all this, and the other extensions we have coded in nDPI and Wireshark.

Enjoy !