Released nDPI 3.4: increased detection speed, statistical analysis, fuzzing, cybersecurity

Posted · Add Comment

This is to announce the release of nDPI 3.4 that is a major step ahead with respect to 3.2:

  • Detection speed has been greatly optimised
  • Many new functions for statistical protocol analysis have been introduced. This is to expand nDPI into traffic analysis beyond simple flow-based analysis.
  • Fuzzing and code analysis (credits to catenacyber and lnslbrty) made nDPI more stable and robust than ever
  • Completely rewritten QUIC dissector (credits to IvanNardi) with support of the latest protocol versions
  • Added 24 security risks for speeding up the adoption of nDPI in cybersecurity that can be used to detect obsolete protocol versions, invalid/outdated ciphers, encryption violations, insecure protocol versions and many more.

Below you can find the complete changelog.




New Features

  • Completely reworked and extended QUIC dissector
  • Added flow risk concept to move nDPI towards result interpretation
  • Added ndpi_dpi2json() API call
  • Added DGA risk for names that look like a DGA
  • Added HyperLogLog cardinality estimator API calls
  • Added ndpi_bin_XXX API calls to handle bin handling
  • Fully fuzzy tested code that has greatly improved reliability and robustness

New Supported Protocols and Services

  • QUIC
  • SMBv1
  • WebSocket
  • TLS: added ESNI support
  • SOAP
  • DNScrypt


  • Python CFFI bindings
  • Various TLS extensions and fixes including extended metadata support
  • Added various pcap files for testing corner cases in protocols
  • Various improvements in JSON/Binary data serialisation
  • CiscoVPN
  • H323
  • MDNS
  • MySQL 8
  • IEC 60870-5-104
  • DoH/DoT dissection improvements
  • Office365 renamed to Microsoft365
  • Major protocol dissection improvement in particular with unknown traffic
  • Improvement in Telegram v6 protocol support
  • HTTP improvements to detect file download/upload and binary files
  • BitTorrent and WhatsApp dissection improvement
  • Spotify
  • Added detection of malformed packets
  • Fuzzy testing support has been greatly improved
  • SSH code cleanup


  • Fixed various memory leaks and race conditions in protocol decoding
  • NATS, CAPWAP dissector
  • Removed HyperScan support that greatly simplified the code
  • ARM platform fixes on memory alignment
  • Wireshark extcap support
  • DPDK support
  • OpenWRT, OpenBSD support
  • MINGW compiler support


  • Created demo app for nDPI newcomers
  • Removed obsolete pplive and pando protocols