Project ntop Publishes Production for Deep Inspection of Packages
Project ntop has released a new version of ndpi, a tool for capturing and analyzing traffic. The ndpi 4.8 version continues development of the OpenDPI library. The NDPI project was initiated after an unsuccessful attempt to incorporate changes into the Opendpi repository, which ultimately did not succeed. The NDPI code, written in the SI language, is available under the LGPLv3 license.
The ndpi tool enables the identification of application protocols used in network traffic, allowing for analysis of network activity without relying on network ports. This means it can detect known protocols that may be using non-standard network ports, and also identify network activity pretending to be another protocol, such as HTTP traffic using port 80.
The key differences between NDPI and Opendpi include the support of additional protocols, porting for the Windows platform, performance optimizations, adaptation for real-time traffic monitoring applications, assembly capabilities in the form of a Linux kernel module, and support for the definition of offices.
One of the key features of ndpi is its ability to identify various types of network threats and more than 350 protocols and applications. It can even decode server and client SSL certificates to determine the protocol being used. To analyze PCAP dumps or current traffic through a network interface, the NDPireader utility is provided.
In the latest release, version 4.8, ndpi introduces several improvements and additions:
- Memory consumption is significantly reduced through the processing of lists.
- Expanded support for IPV6.
- New protocol identifiers added for adult content, advertising, web analytics, and movement tracking.
- Added support for protocols and services such as haproxy, Apache Thrift, RMCP (Remote Management Control Protocol), SLP (Service Location Protocol), bitcoin, http/2 without encryption, srtp (secure real-time transport), Bacnet, and oicq (Chinese messenger).
- Improved definition of OperavPN and ProtonVPN, and better definition of wireguard.
- Eurystation implemented for identifying fully encrypted traffic flows.