Introducing nDPI 4.0: DPI for CyberSecurity and Traffic Analysis

Posted · Add Comment

This is to announce nDPI 4.0. With this new stable release we have extended the scope of nDPI that was originally conceived as a toolkit for detecting application protocols.

nDPI is now a modern library for packet processing that in addition to DPI it includes self-contained, efficient (both in memory and processing speed) streaming versions of popular algorithms for data analysis including:

This means that you can use nDPI as a layer on top of which you can build your network traffic analysis application. Do not forget that nDPI is a packet-capture neutral library, meaning that nDPI does not include packet capture facilities but it can sit on top of libpcap, PF_RING, DPDK or anything you like.

We have also boosted cybersecurity features that were designed in the 3.x series. This includes

  • Improved  ETA (Encrypted Traffic Analysis).
  • Implementation of a new nDPI-unique fingerprint named JA3+ that is an improvement (read it as less false positives) with the popular JA3.
  • Increased the number of flow risks currently supported (currently 33 in total).
  • Added the ability to mask flow risks by extending custom protocol definition.

In addition to all this, this 4.0 release has been boosted in terms of speed with a 2.5x improvement with respect to 3.x series. Below you can see a performance report when comparing the previous 3.4 stable release with the current version 4.0

  •         v3.4 – nDPI throughput:       1.29 M pps / 3.35 Gb/sec
  •         v4.0 – nDPI throughput:       3.35 M pps / 8.68 Gb/sec

Many new protocols (14) have been added, and detection of existing ones has been improved.

We would like to thank to all developers and contributors and in particular to lnslbrty, IvanNardi, vel21ripn for the time they donated to the project.

Finally many thanks to Braintrace for supporting nDPI development and triggering new ideas and features now included in this release.

Enjoy !