Project ntop, which focuses on developing tools for capturing and analyzing network traffic, recently published new tools for deep inspection of packets, specifically ndpi 4.10. This project continues the development of the Opendpi library, which came about after unsuccessful attempts to make changes to the Opendpi repository, which were left unattended. The NDPI code is written in the language of SI and is distributed under the lgplv3 license.
The NDPI tool provides the ability to classify network traffic at the application level, allowing for analysis of network activity without relying on traditional network ports. This enables detection of known protocols that may use non-standard ports, such as HTTP communication on ports other than 80, or attempts to disguise other network activities as HTTP by using port 80.
Some key differences from Opendpi include expanded protocol support, porting for the Windows platform, performance optimization, real-time traffic monitoring capabilities, modular assembly for the Linux kernel, and office definitions support.
The NDPI tool offers detection of 55 types of network threats and over 420 protocols and applications, including popular services like OpenVPN, Tor, Bittorrent, WhatsApp, Google Docs, and YouTube. It also includes a decoder for server and client SSL certificates, allowing for identification of protocols based on encryption certificates. The NDPireader utility is provided for analyzing PCAP dumps or real-time network traffic.
In the latest release, the following updates have been introduced:
- The addition of initial support for FPC (FIRST PACKET CLASSIX) technology, focused on identifying protocols, applications, and services based on the first packet sent during connection setup. Implementing FPC for select protocols can significantly reduce CPU load during traffic inspection.
- Support and analysis of over 70 new protocols and services, including