Project ntop , developing tools for capture and analysis of traffic, Published Issue for deep inspection of packages ndpi 4.6 , continuing the development of the Opendpi library. The NDPI project is based after an unsuccessful attempt to transmit changes to repository Opendpi, which remained unaccompanied. The NDPI code is written in the language of SI and spreads under the license lgplv3.
system allows to determine the traffic used in the application protocols, analyzing the nature of the network activity without linking to the network ports (it can determine the known protocols whose processors take joints on non-standard network ports, for example, if HTTP is not given from 80 ports, or, conversely, when some other network activity try to camouflaged under HTTP through the launch of 80 port).
Differences from Opendpi are reduced to supporting additional protocols, porting to Windows platform, optimization of performance, adaptation for use in real -time traffic monitoring applications (some specific features slowed down the engine), assembly capabilities in the form of the Linux nucleus module, and Supporting the definition of offices.
The determination of 50 types of network threats (Flow RISK) and 332 protocols and applications (from OpenVPN, Tor, Quic, Socks, Bittorrent and IPSEC to Telegram, Viber, WhatsApp, PostgreSQL and appeals to Gmail, Office 365, are supported.
Google Docs and YouTube). There is a decoder of server and client SSL certificates that allows you to determine the protocol (for example, Citrix Online and Apple ICloud) using the encryption certificate. To analyze the contents of the PCAP dumps or current traffic through the network interface, the NDPireader utility is supplied.
in new issue :
- Provided definitions of the own protocols using filters nbpf (for example: ‘nbpf: “host 192.168.1 and port 80” @homerouter’).
- increased traffic analysis.
- Fuzzing testing.
- Improved determination of Webshell and PHP code in HTTP url.
- Improved definition of dga (Domain Generational algorithm).
- Improved verification of the instructions aes-ni .
- Improved data serialization in Json format.
- Improved determination of the rejection of compounds.
- Added statistics for Patricia Tree, Ahocarasick and Lru cache.
- Added adjustable logic of the records in the Lru cache.
- In the metadata stream (Flow Metadata), RTP stream support is added.
- In the NDPireader utility, support for the protocol linux cooKed capture v2
. . .