project ntop , developing tools for capturing and analyzing traffic, published Release tools for deep inspection of packages NDPI 4.0 that continues the development of the OpenDPI library. The NDPI project is based after unsuccessful attempt to transmit changes to repository OpenDPI, which remained unaccompanied. The NDPI code is written in the SI language and spreads under the LGPLV3 license.
Project allows to determine the application level protocols used in traffic, analyzing the nature of the network Activity without reference to network ports (can define well-known protocols whose handlers take connections on non-standard network ports, for example, if HTTP is not given from 80 port, or, on the contrary, when some other network activity is trying to camouflage under HTTP through the launch by 80 Porto).
Differences from OpenDPI are reduced to support for additional protocols, porting for the Windows platform, performance optimization, adaptation for use in traffic monitoring applications in real time (some specific features that slow down the engine are removed),
Assembly capabilities in the form of the Linux kernel module and support for the definition of subpostokol.
Total supports definitions of 247 protocols and applications, from
OpenVPN, Tor, Quic, Socks, BitTorrent and IPsec to Telegram,
Viber, WhatsApp, PostgreSQL and appeals to Gmail, Office365
GoogleDocs and YouTube. There is a decoder of server and client SSL certificates, which allows you to identify a protocol (for example, Citrix Online and Apple ICloud) using a encryption certificate. To analyze the contents of PCAP dumps or current traffic through the network interface, the NDPIReader utility comes.
$ ./ndpiReader -i Eth0 -S 20 -F “Host 192.168.1.10” Detected Protocols: DNS Packets: 57 Bytes: 7904 Flows: 28 SSL_NO_CERT PACKETS: 483 bytes: 229203 Flows: 6 Facebook Packets: 136 Bytes: 74702 Flows: 4 Dropbox Packets: 9 bytes: 668 Flows: 3 Skype Packets: 5 Bytes: 339 Flows: 3 Google Packets: 1700 Bytes: 619135 Flows: 34
in new release :
- Improved support for encrypted traffic analysis ( ETA – Encrypted Traffic Analysis) .
- Supports support for the improved method of identifying JA3 + TLS clients, which makes it possible to determine which software to be used to determine which software to install the connection (for example, allows you to define the use of TOR and other typical applications). Unlike a previously supported method JA3 , JA3 + is characterized by a smaller number of false positives.