Promoting Traffic Visibility: from Application Protocols to Traffic Categories in nDPI and ntopng

Posted · Add Comment

Often we receive emails asking question like: “how many protocols nDPI supports?”, “how do you position nDPI against commercial DPI toolkit A, B, C?”. Although these questions are reasonable, they do not grasp the significance of DPI. For years commercial toolkits have run the race for protocols: I have 200 protocols, I have 1000 protocols, I have 500. Then asking that is the meaning with the term “protocol” people list traffic from to sites like or But BBC is not a protocol but rather some traffic (for instance HTTP, or DNS) traffic going towards * hosts. So today comparing DPI toolkits based on the number of (so called) protocols is a bad idea as these are all but protocols.

Actually having many protocols is a pain. Computer scientists know what protocols are about, but if you ask a non-tech person to list what are the peer-to-peer protocols I am not sure you will receive a correct answer. In addition having too many protocols is bad: do you prefer to say “block all the social networks traffic” or “block Facebook, Twitter….”? Which one is more error prone? This not to mention that as soon as a new social network becomes popular you have to review all the settings of your app, whereas letting the DPI toolkit to take care of this, is a transparent and thus a better solution. Finally supposing that you want to block all advertisement sites, and daily update their list via an Internet feed. This would be a nightmare to maintain when mapping a site to a protocol, instead of mapping it to a category.

To make this long story short, nDPI has introduced categories in the latest release and this has enabled is to make ntopng and nEdge better and more configurable. The problems that we are going to tackle include:

  • I want to block all advertisement sites (nEdge)
  • I want to trigger an alert whenever my employees access a malware site (ntopng, whereas in nEdge you have the bonus also to block this traffic)
  • I run a grocery shop which provides free WiFi to customers, and I want to prevent them from accessing with the WiFi sites of competitors as they are using them for comparing prices (nEdge)

While in nDPI you can manipulate categories through the API, in ntopng you can do that using the web interface. Going o the Protocol entry in the preferences menu you can access all the application known application protocols and bind them to categories (or modify the default category provided by nDPI).

You can also edit the categories by adding new hosts or IPs, accessing the Categories menu entry in the Preferences

and adding custom hosts

In addition this, you can do that easily looking at flows. Suppose that you are watching a video and you see advertisements or tracking on your screen, you can block selected sites by listing flows, then accessing the flow info of those flows that from the host name look like suspicious. As you can see from the picture below

we have added a + icon that allows you to add it to a selected category by clicking on it

This is a simple procedure that should enable everyone to manipulate categories with the mouse rather than using the keyboard.

We hope that the introduction of this new feature will enable people to better categorise their traffic and see what really happens on the network. Remember that ntopng produces reports like the one below, so you can see host-by-host or network-by-network what is flowing on the network.