Welcome to nDPI 4.6: code fuzzing, new protocol and flow risks

Posted · Add Comment

This is to announce the release of nDPI 4.6 that introduces various improvements with respect to the previous release. Many things changed in this release in terms of number of protocols and robustness thanks to code fuzzing introduced in this release. nDPI now natively supports 332 protocols and 50 flow risks, this in addition to protocols that can be configured using the protocol file. Protocol metadata extraction has been improved in various protocols as well DGA detection in host names.

Below you can find the complete changelog.

Enjoy !



New Features

  • New support for custom BPF protocol definition using nBPF (see example/protos.txt)
  • Improved dissection performance
  • Added fuzzing all over

New Supported Protocols and Services

Add protocol detection for:

  • Activision
  • AliCloud server access
  • CryNetwork
  • Discord
  • EDNS
  • Elasticsearch
  • FastCGI
  • Kismet
  • Liane App and Line VoIP calls
  • Meraki Cloud
  • Muanin
  • Syncthing
  • TP-LINK Smart Home
  • SoftEther VPN
  • Tailscale
  • TiVoConnect


Improve protocol detection for:

  • Anydesk
  • Bittorrent (fix confidence, detection over TCP)
  • DNS, add ability to decode DNS PTR records used for reverse address resolution
  • DTLS (handle certificate fragments)
  • Facebook VoIP calls
  • FastCGI (dissect PARAMS)
  • FortiClient (update default ports)
  • Zoom
  • Add Zoom screen share detection
  • Add detection of Zoom peer-to-peer flows in STUN
  • Hangout/Duo Voip calls detection, optimize lookups in the protocol tree
  • HTTP
  • Handling of HTTP-Proxy and HTTP-Connect
  • HTTP subclassification
  • Check for empty/missing user-agent in HTTP
  • IRC (credentials check)
  • Jabber/XMPP
  • Kerberos (support for Krb-Error messages)
  • LDAP
  • MGCP
  • MONGODB (avoid false positives)
  • Postgres
  • POP3
  • QUIC (support for 0-RTT packets received before the initial)
  • Snapchat VoIP calls
  • SIP
  • SNMP
  • SMB (support for messages split into multiple TCP segments)
  • SMTP (support for X-ANONYMOUSTLS command)
  • STUN
  • SKYPE (improve detection over UDP, remove detection over TCP)
  • Teamspeak3 (License/Weblist detection)
  • Threema Messenger
  • TINC (avoid processing SYN packets)
  • TLS
    • improve reassembler handling of ALPN(s) and subclassification
    • ignore invalid Content Type values
    • WindowsUpdate
  • Add flow risk:
    • NDPI_MINOR_ISSUES (generic/relevant information about issues found on traffic)
    • NDPI_HTTP_OBSOLETE_SERVER (Apache and nginx are supported)
    • NDPI_PERIODIC_FLOW (reserved bit to be used by apps based on nDPI)
  • Improve detection of WebShell and PHP code in HTTP URLs that is reported via flow risk
  • Improve DGA detection
  • Improve AES-NI check
  • Improve nDPI JSON serialization
  • Improve export/print of L4 protocol information
  • Improve connection refused detection
  • Add statistics for Patricia tree, Ahocarasick automa, LRU cache
  • Add a generic (optional and configurable) expiration logic in LRU caches
  • Add RTP stream type in flow metadata
  • LRU cache is now IPv6 aware



  • Add support for Linux Cooked Capture v2
  • Fix packet dissection (CAPWAP and TSO)
  • Fix Discarded bytes statistics


  • Fix classification by-port
  • Fix exclusion of DTLS protocol
  • Fix undefined-behaviour in ahocorasick callback
  • Fix infinite loop when a custom rule has port 65535
  • Fix undefined-behavior when setting empty user-agent
  • Fix infinite loop in DNS dissector (due to an integer overflow)
  • Fix JSON export of IPv6 addresses
  • Fix memory corruptions in Bittorrent, HTTP, SoftEther, Florensia, QUIC, IRC, TFTP dissectors
  • Fix stop of extra dissection in HTTP, Bittorrent, Kerberos
  • Fix signed integer overflow in ASN1/BER dissector
  • Fix char/uchar bug in ahocorasick
  • Fix endianess in IP-Port lookup
  • Fix FastCGI memory allocation issue
  • Fix metadata extraction in NAT-PMP
  • Fix invalid unidirectional traffic alert for unidirectional protocols (e.g. sFlow)


  • Support for Rocky Linux 9
  • Enhance fuzzers to test nDPI configurations, memory allocation failures, serialization/deserialization, algorithms and data structures
  • GitHub Actions: update to Node.js 16
  • Size of LRU caches is now configurable