Released nDPI 4.10: 421 Protocols, 55 Flow Risks, Several Improvements, Getting Ready for FPC

Posted · Add Comment

This is to announce the release of nDPI 4.10. This release adds many improvements and new detected protocols. For this reason future releases will be scheduled more often on a 4 or 6 months (hard) basis in order to provide you constant updates on a predictable timeframe,

Beside adding many dissectors, this release paves the way towards First Packet Classification (FPC) that is an attempt (for selected protocols) to detect the application protocol DPI at the first packet of a connection. Of course this is a challenge, and it won’t be possible for all protocols, but we’re moving into that direction that could save a lot of memory and CPU cycles while nDPI-ing. This will be one of the main goals of the next release (that will probably be the first of the 5.0 series) along with other measurements we have in mind.

For the time being enjoy this release an for those interested in the complete changelog, you can find it in the rest of this post.

Enjoy !

Changelog

Major Changes

  • Initial work towards First Packet Classification (FPC)

New Supported Protocols and Services

  • Add OpenWire support (#2513)
  • FPC: add DNS correlation (#2497)
  • ipaddr2list.py, ndpi2timeline.py: reformatted (#2509)
  • Add Nano (XNO) protocol support (#2508)
  • Added ClickHouse protocol
  • Add HLS support (#2502)
  • Add infrastructure for explicit support of Fist Packet Classification (#2488)
  • Add detection of Twitter bot (#2487)
  • Added default port mappings to ndpiReader help -H (#2477)
  • Add Ripe Atlas probe protocol. (#2473)
  • Add ZUG consensus protocol dissector. (#2458)
  • Added NDPI_PROBING_ATTEMPT risk
  • DTLS: add support for DTLS 1.3 (#2445)
  • Added dpi.compute_entropy configuration parameter
  • Add Call of Duty Mobile support (#2438)
  • Add Ethernet Global Data support (#2437)
  • Viber: add detection of voip calls and avoid false positives (#2434)
  • Add support for Mastodon, Bluesky and (FB-)Threads (#2418)
  • Fixes JA4 computation adding a better GREASE detect funzion
  • DTLS: add support for Alert message type (similar to TLS) (#2406)
  • Add Adobe Connect support (#2407)
  • Remove PPStream protocol and add iQIYI (#2403)
  • Add BFCP protocol support (#2401)
  • Add strlcpy implementation (#2395)
  • Add KNXnet/IP protocol support (#2397)
  • STUN: add support for ipv6 in some metadata (#2389)
  • Implemented STUN peer_address, relayed_address, response_origin, other_address parsing Added code to ignore invalid STUN realm Extended JSON output with STUN information
  • Add Label Distribution Protocol support (#2385)
  • Add The Elder Scrolls Online support (#2376)
  • Add Shellscript risk detection. (#2375)
  • Add PE32/PE32+ risk detection (detect transmitted windows executables). (#2312)
  • Added support for STUN Mapped IP address
  • Added binary data transfer risk alert
  • Add LoL: Wild Rift detection (#2356)
  • STUN: add dissection of XOR-PEER-ADDRESS with ipv6 address
  • Add FLUTE protocol dissector (#2351)
  • Add PFCP protocol dissector (#2342)
  • Add Path of Exile protocol dissector (#2337)
  • Add NetEase Games detection support (#2335)
  • Add Naraka Bladepoint detection support (#2334)
  • Add BFD protocol dissector (#2332)
  • Add DLEP protocol dissector (#2326)
  • Add ANSI C12.22 protocol dissector (#2317)
  • TLS: add configuration of JA* fingerprints (#2313)
  • Add detection of Gaijin Entertainment games (#2311)
  • Add new AppsFlyer domain (#2307)
  • Add TencentGames protocol dissector (#2306)
  • Add Gearman protocol dissector (#2297)
  • Add Raft protocol dissector. (#2286)
  • Add Radmin protocol dissector (#2283)
  • Add STOMP protocol dissector (#2280)
  • Add ElectronicArts detection support (#2274)
  • Add Yojimbo (netcode) protocol dissector (#2277)
  • Add a dedicated dissector for Zoom (#2265)
  • Add Mumble detection support (#2269)
  • Add KCP protocol dissector. (#2257)
  • Add PIA (Private Internet Access) support (#2250)
  • Add more adult content hostnames (#2247)
  • Add Roughtime protocol dissector. (#2248)
  • Add realtime protocol output to ndpiReader. (#2197)
  • Add Google Chat support (#2244)
  • ndpiReader: add breed stats on output used for CI (#2236)
  • Add Ceph protocol dissector (#2242)
  • Add HL7 protocol dissector (#2240)
  • Add IEC62056 (DLMS/COSEM) protocol dissector (#2229)
  • Add NoMachine NX protocol dissector (#2234)
  • Add Apache Kafka protocol dissector (#2226)
  • Add WebDAV detection support (#2224)
  • Add JSON-RPC protocol dissector (#2217)
  • Add OpenFlow protocol dissector (#2222)
  • Add UFTP protocol dissector (#2215)
  • Add HiSLIP protocol dissector (#2214)
  • Add PROFINET/IO protocol dissector (#2213)
  • Add Monero protocol classification. (#2196)
  • Add Ether-S-Bus protocol dissector (#2200)
  • Add IEEE C37.118 protocol dissector (#2193)
  • Add ISO 9506-1 MMS protocol dissector (#2189)
  • Add Beckhoff ADS protocol dissector (#2181)
  • Add Schneider Electric’s UMAS detection support (#2180)
  • Add Ether-S-I/O protocol dissector (#2174)
  • Add Omron FINS protocol dissector (#2172)
  • Rework S7Comm dissector; add S7Comm Plus support (#2165)
  • Add OPC UA protocol dissector (#2169)
  • Add RTPS protocol dissector (#2168)
  • Add HART-IP protocol dissector (#2163)
  • Add IEEE 1588-2008 (PTPv2) dissector (#2156)
  • Added TeslaServices and improved TikTok host names. Fixes #2140. (#2144)
  • Add ethereum protocol dissector. (#2111)
  • Added generic Google Protobuf dissector. (#2109)
  • Add CAN over Ethernet dissector.

Improvements

  • Enhanced PrimeVideo detection
  • Enhanced ookla tracing
  • Improved ICMP malformed packet risk description
  • Improve detection of Cloudflare WARP traffic (#2491)
  • tunnelbear: improve detection over wireguard (#2485)
  • Improve detection of Twitter/X (#2482)
  • Zoom: fix detection of screen sharing (#2476)
  • Improved detection of Android connectiity checks
  • Zoom: fix integer overflow (#2469)
  • RTP/STUN: look for STUN packets after RTP/RTCP classification (#2465)
  • Zoom: faster detection of P2P flows (#2467)
  • Added NDPI_PROTOCOL_NTOP assert and removed percentage comparison (#2460)
  • Add extra entropy checks and more precise(?) analysis. (#2383)
  • STUN: improve extraction of Mapped-Address metadata (#2370)
  • Added support for roaring bitmap v3 (#2355)
  • Add more TencentGames signatures (#2354)
  • Added DGA exception for Dropbox
  • QUIC: add heuristic to detect unidirectional GQUIC flows (#2207)
  • fuzzing: improve coverage (#2495)
  • Improve detection of Cloudflare WARP traffic (#2491)
  • fuzz: improve fuzzers using pl7m (#2486)
  • wireshark: lua: minor improvements
  • Improved logic for checking invalid DNS queries
  • fuzz: improve fuzzing coverage (#2474)
  • Improved Kafka dissector. (#2456)
  • H323: improve detection and avoid false positives (#2432)
  • Fix/improve fuzzing (#2426) (#2400)
  • eDonkey: improve/update classification (#2410)
  • Domain Classification Improvements (#2396)
  • STUN: improve extraction of Mapped-Address metadata (#2370)
  • Improve LoL: Wild Rift detection (#2359)
  • Improve TencentGames detection (#2353)
  • STUN: improve heurstic to detect old classic-stun
  • ahocorasick: improve matching with subdomains (#2331)
  • Improved alert on suspicious DNS traffic
  • Telegram: improve identification
  • Improved Telegram detection
  • Improved modbus dissection to discard false positives
  • Improved Polish gambling sites fetch script. (#2315)
  • fuzz: improve fuzzing coverage (#2309)
  • Improve normalization of flow->host_server_name (#2310)
  • Improve ndpi_set_config error printing. (#2300)
  • Improve MySQL detection (#2279)
  • Improve handling of custom rules (#2276)
  • Zoom: improve detection (#2270)
  • Improved ndpi_get_host_domain
  • Bittorrent: improve detection of UTPv1 (#2259)
  • Improved uTorrent via utp (TCP-like streams over UDP). (#2255)
  • fuzz: improve fuzzing coverage (#2239)
  • fuzz: improve fuzzing coverage (#2220)
  • Improved belgium gambling sites regex. (#2184)
  • Improve CORBA detection (#2167)
  • STUN: improve demultiplexing of DTLS packets (#2153)
  • Improved TFTP. Fixes #2075. (#2149)
  • fuzz: improve coverage and remove dead code (#2135)
  • Improved Protobuf dissector. (#2119)
  • Improved detection as non DGA for hostnames belnging to a CDN (#2068)
  • Improved CryNetwork protocol dissector.

Tools

  • Make the CI faster (#2475)
  • Add a script to download/update the domain suffix list (#2321)
  • Add identification of Huawei generic and cloud traffic (#2325)
  • ndpiReader: improve the check on max number of pkts processed per flow (#2261)
  • Added default port mappings to ndpiReader help -H (#2477)
  • ndpiReader: restore ndpiReader -x $DOMAIN_NAME functionality (#2329)
  • ndpiReader: improve the check on max number of pkts processed per flow (#2261)
  • ndpiReader: fix memory leak
  • Add realtime protocol output to ndpiReader. (#2197)
  • ndpiReader: add breed stats on output used for CI (#2236)
  • ndpiReader: avoid creating two detection modules when processing traffic/traces (#2209)
  • ndpiReader: fix guessed_flow_protocols statistic (#2203)