Released nProbe 10.6: Reworked GTP support, Improved Kafka/ZMQ Export, Several Fixes

Posted · Add Comment

This is to announce the release of nProbe 10.6 that includes many changes in a couple of selected areas:

  • Mobile traffic analysis (GTPv1 and GTPv2) and GTP-C/GTP-U correlation has been rewritten to support complexity of modern mobile networks. 
  • nProbe is now more friendly when talking ZMQ/Kafka (hence with ntopng) as it can report various statistics and export of specific information elements has been optimised to improve performance.

In addition nProbe supports the latest nDPI version that has been optimised in memory and that features almost 500 application protocols, that is a major step ahead with respect to the previous version. Furthermore, we have improved the analysis of multimedia and streaming protocols, as well collaboration tools such as Teams, Zoom and Meet: for these protocols RTP metrics such as MOS-like, jitter and packet loss have been improved.

Below you can find the complete nProbe 10.6 changelog.

Enjoy !

Changelog

Command Line Options

 

  • Add –blacklists for configuring blacklists
  • Add –ndpi-categories-dir
  • Add –dns-dump-blacklisted for dumping only blacklisted client queries
  • Add –gtpv1-track-imsi and –gtpv2-track-imsi
  • Add –gtpv1-teid-cache-duration and –gtpv2-teid-cache-duration
  • Add –gtp-use-host-in-tunnels
  • Add –estimate-tcp-latency for making TCP network latency optionally estimated in case a flow start was not observed
  • Add -gtp-use-host-in-tunnels for GTPv1
  • Extend –map-ifnames option to accept a file in addition to the CLI

Improvements

 

  • New %JA4C_HASH IE
  • New %GTPV1_GSN_ADDRESS_IPV4_A and %GTPV1_GSN_ADDRESS_IPV4_B containing the first and secondGSN IPv4 address
  • New %FLOW_ENCRYPTED IE
  • New %L7_DOMAIN_INFO IE similar to %L7_INFO but returns only the domain name of the host
  • Add support for datalink 10 (raw packets)
  • Add support for flow source for detecting how flows are generated (packets, collection of sflow/netflow, collection of sflow)
  • Improve ZMQ events messages
  • Improve HTTP dump to file (flush after write)
  • Hash size is now automatically incresed when -M is used
  • Various GTP-C/GTP-U improvements
    • Add support for DeleteBearerRequest in GTPv2
    • Enhanced %UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID with GTP gateways
  • Improve RTP handling with Zoom and Teams
  • Add Zoom p2p support
  • Improve Zoom Media Encapsulation decoding
  • Improve utility to export flows to Google Pub/Sub
    • Add native batching support
    • Add options to control import/export settings
  • Add instance UUID for detecting the individual nprobe instances
    • Add NPROBE_UUID NPROBE_IP Information elements
  • Add support fo HTTPS ports in the HTTP plugin
  • Implement TCP flow swap in case SYN|ACK is observed before SYN
  • Add @timestamp to the ELK plugin

Fixes

 

  • Fix Clickhouse database schema types
  • Various RTP fixes
  • Various GTP fixes
    • Restore GTP accounting with –imsi-apn-aggregation
    • Fix GTPv2 delete session handling
    • Add fixes for discarding negative GTP-C responses
    • Fix GTPv2 Bearer Context decoding that was previously unable to handle IPv4/IPv6 F-TEID
    • Fix crash with GTP flow aggregation
    • Fix GTP-C dump
  • Fix DNS additional records decoding
  • Fix –map-postnat cli option
  • Fix plugin handling with null-ethernet (e.g. loopback) encapsulation
  • Fix DHCP export
  • Fix DHCP_CLIENT_NAME dissection
  • Fix TOS handling
  • Fix –in-iface-idx/–out-iface-idx values populated in case of packet capture from network device
  • Fix endianess with –map-postnat
  • Fix memory leaks
  • Fix -p aggregation parsing
  • Fix IMSI correlation
  • Fix double Kafka flow export
  • Fix IPS policing
  • Fix nflite initialization

Misc

 

  • Add support for the ntop Cloud
  • ZMQ events are now emitted every 5 sec (used to be every second)
  • Disabled JA3+ support in favour of JA4
  • Diabled –collector-passthrough when ZMQ is in use as this can cause inconsistencies in ntopng side due to template format
  • Add nprobe user to the ntop group
  • Package for Ubuntu 24