The ntop project, which develops tools for capturing and analyzing traffic, has published a release of the nDPI 4.0 Deep Packet Inspection Toolkit, which continues the development of the OpenDPI library. The nDPI project was founded after an unsuccessful attempt to commit changes to the OpenDPI repository, which was left unmaintained. The nDPI code is written in C and distributed under the LGPLv3 license.
The project allows you to determine the application-level protocols used in traffic by analyzing the nature of network activity without reference to network ports (it can determine known protocols whose handlers accept connections on non-standard network ports, for example, if http is not sent from port 80, or, conversely, when some - they try to disguise other network activity as http by launching it on port 80).
Differences from OpenDPI come down to support for additional protocols, porting for the Windows platform, performance optimization, adaptation for use in real-time traffic monitoring applications (removed some specific features that slowed down the engine), the ability to build in the form of a Linux kernel module, and support for defining subprotocols .
A total of 247 protocol and application definitions are supported, from OpenVPN, Tor, QUIC, SOCKS, BitTorrent and IPsec to Telegram, Viber, WhatsApp, PostgreSQL and GMail, Office365 GoogleDocs and YouTube calls. There is a server and client SSL certificate decoder that allows you to determine the protocol (for example, Citrix Online and Apple iCloud) using the encryption certificate. The nDPIreader utility is supplied to analyze the contents of pcap dumps or current traffic through the network interface.
$ ./nDPIreader -i eth0 -s 20 -f "host 192.168.1.10" 57 DropBox packets: 7904 bytes: 28 flows: 483 Skype packets: 229203 bytes: 6 flows: 136 Google packets: 74702 bytes: 4 flows: 9
In the new release:
- Improved support for encrypted traffic analysis methods (ETA - Encrypted Traffic Analysis).
- Implemented support for an improved JA3+ TLS client identification method that allows, based on the features of connection negotiation and the specified parameters, to determine which software is used to establish a connection (for example, it allows you to determine the use of Tor and other typical applications). Unlike the previously supported JA3 method, JA3+ has fewer false positives.
- The number of detected network threats and problems associated with the risk of compromise (flow risk) has been expanded to 33. New threat definitions have been added related to desktop and file sharing, suspicious HTTP traffic, malicious JA3 and SHA1, access to problematic domains and autonomous systems, using certificates with suspicious extensions in TLS, or certificates that expire too long.
- A significant performance optimization has been carried out, compared to the 3.0 branch, the speed of traffic processing has increased by 2.5 times.
- Added GeoIP support for locating by IP address.
- Added API for calculating RSI (Relative Strenght Index).
- Implemented fragmentation management tools.
- Added API for calculating flow uniformity (jitter).
- Added support for protocols and services: AmongUs, AVAST SecureDNS, CPHA (CheckPoint High Availability Protocol), DisneyPlus, DTLS, Genshin Impact, HP Virtual Machine Group Management (hpvirtgrp), Mongodb, Pinterest, Reddit, Snapchat VoIP, Tumblr, Virtual Asssitant (Alexa , Siri), Z39.50.
- Improved protocol parsing and detection for AnyDesk, DNS, Hulu, DCE/RPC, dnscrypt, Facebook, Fortigate, FTP Control, HTTP, IEC104, IEC60870, IRC, Netbios, Netflix, Ookla speedtest, openspeedtest.com, Outlook / MicrosoftMail, QUIC, RTSP , RTSP via HTTP, SNMP, Skype, SSH, Steam, STUN, TeamViewer, TOR, TLS, UPnP, wireguard.
Source: opennet.ru