Project , which develops tools for capturing and analyzing traffic, release of deep package inspection toolkit , continuing the development of the library . The nDPI project was founded after an unsuccessful attempt to commit changes to OpenDPI, which was left unaccompanied. The nDPI code is written in C and licensed under LGPLv3.
Project determine the application-level protocols used in traffic by analyzing the nature of network activity without reference to network ports (can determine known protocols whose handlers accept connections on non-standard network ports, for example, if http is not sent from port 80, or, conversely, when some they try to camouflage other network activity as http by launching it on port 80).
Differences from OpenDPI come down to support for additional protocols, porting for the Windows platform, performance optimization, adaptation for use in real-time traffic monitoring applications (some specific features that slowed down the engine were removed),
assembly capabilities in the form of a Linux kernel module and support for defining subprotocols.
A total of 238 protocol and application definitions are supported, from
OpenVPN, Tor, QUIC, SOCKS, BitTorrent and IPsec to Telegram,
Viber, WhatsApp, PostgreSQL and calls to GMail, Office365
GoogleDocs and YouTube. There is a server and client SSL certificate decoder that allows you to determine the protocol (for example, Citrix Online and Apple iCloud) using the encryption certificate. The nDPIreader utility is supplied to analyze the contents of pcap dumps or current traffic through the network interface.
$ ./nDPIreader -i eth0 -s 20 -f "host 192.168.1.10"
Detected protocols:
DNS packets: 57 bytes: 7904 flows: 28
SSL_No_Cert packets: 483 bytes: 229203 flows: 6
FaceBook packets: 136 bytes: 74702 flows: 4
DropBox packets: 9 bytes: 668 flows: 3
Skype packets: 5 bytes: 339 flows: 3
Google packets: 1700 bytes: 619135 flows: 34
In the new release:
- Protocol information is now displayed immediately upon detection, without waiting for full metadata to be received (even when specific fields have not yet been parsed due to non-receipt of the corresponding network packets), which is important for traffic analyzers that need to immediately respond to certain types of traffic. For applications that need full protocol dissection, the ndpi_extra_dissection_possible() API is provided to ensure that all protocol metadata is defined.
- Implemented a deeper analysis of TLS with the extraction of information about the correctness of the certificate and the SHA-1 hash of the certificate.
- The "-C" flag has been added to the nDPIreader application for exporting in CSV format, which makes it possible, using the additional ntop toolkit rather complex statistical samples. For example, to determine the IP of the user who has watched movies on NetFlix the longest:
$ ndpiReader -i netflix.pcap -C /tmp/netflix.csv
$ q -H -d ',' "select src_ip,SUM(src2dst_bytes+dst2src_bytes) from /tmp/netflix.csv where ndpi_proto like '%NetFlix%' group by src_ip"192.168.1.7,6151821
- Added support suggested in identifying malicious activity hidden in encrypted traffic using packet size and send time/delay analysis. In ndpiReader, the method is activated with the "-J" option.
- Classification of protocols by categories is provided.
- Added support for calculating IAT (Inter-Arrival Time) to detect anomalies in the use of the protocol, for example, to detect the use of the protocol during DoS attacks.
- Added data analysis capabilities based on calculated metrics such as entropy, mean, standard deviation, and variance.
- The initial version of bindings for the Python language is proposed.
- Added a mode for detecting readable lines in traffic to detect data leaks. IN
ndpiReader mode is enabled with the "-e" option. - Added support for TLS client identification method , which allows, based on the features of connection negotiation and the specified parameters, to determine which software is used to establish a connection (for example, it allows you to determine the use of Tor and other typical applications).
- Added support for SSH implementation identification methods () and DHCP.
- Added functions for serializing and deserializing data in
Type-Length-Value (TLV) and JSON formats. - Added support for protocols and services: DTLS (TLS over UDP),
Hulu,
TikTok/Musical.ly,
Whatsapp Video,
DNSoverHTTPS
datasaver,
line,
Google Duo, Hangout,
wireGuard VPN,
imo,
zoom.us. - Improved support for TLS, SIP, STUN analysis,
Viper,
Whatsapp,
amazonvideo,
SnapChat,
ftp,
HERE C
OpenVPN UDP,
Facebook Messenger and Hangout.
Source: opennet.ru