ProHoster > Blog > internet news > nDPI Deep Packet Inspection 4.8 Released

nDPI Deep Packet Inspection 4.8 Released

The ntop project, which develops tools for capturing and analyzing traffic, has published a release of the nDPI 4.8 Deep Packet Inspection Toolkit, which continues the development of the OpenDPI library. The nDPI project was founded after an unsuccessful attempt to commit changes to the OpenDPI repository, which was left unmaintained. The nDPI code is written in C and distributed under the LGPLv3 license.

The system allows you to determine the application-level protocols used in traffic by analyzing the nature of network activity without reference to network ports (it can determine known protocols whose handlers accept connections on non-standard network ports, for example, if http is not sent from port 80, or, conversely, when some - they try to disguise other network activity as http by launching it on port 80).

Differences from OpenDPI come down to support for additional protocols, porting for the Windows platform, performance optimization, adaptation for use in real-time traffic monitoring applications (removed some specific features that slowed down the engine), the ability to build in the form of a Linux kernel module, and support for defining subprotocols .

Supports detection of 53 types of network threats (flow risk) and more than 350 protocols and applications (from OpenVPN, Tor, QUIC, SOCKS, BitTorrent and IPsec to Telegram, Viber, WhatsApp, PostgreSQL and calls to Gmail, Office 365, Google Docs and YouTube) . There is a server and client SSL certificate decoder that allows you to determine the protocol (for example, Citrix Online and Apple iCloud) using the encryption certificate. The nDPIreader utility is supplied to analyze the contents of pcap dumps or current traffic via the network interface.

In the new release:

  • Memory consumption has been reduced by orders of magnitude, thanks to the reworking of the implementation of lists.
  • IPv6 support has been expanded.
  • Added new protocol identifiers related to adult content, advertising, web analytics and tracking.
  • Added support for protocols and services:
    • HAProxy
    • Apache Thrift
    • RMCP (Remote Management Control Protocol)
    • SLP (Service Location Protocol)
    • Bitcoin
    • HTTP/2 without encryption
    • SRTP (Secure Real-time Transport)
    • BACnet
    • OICQ (Chinese messenger)
  • Added definition of OperaVPN and ProtonVPN. Improved Wireguard detection.
  • Implemented heuristics to identify fully encrypted traffic flows.
  • Added definition of Yandex and VK services.
  • Added detection of Facebook reels and stories.
  • Added definition of the Roblox gaming platform, NVIDIA GeForceNow cloud service, Epic Games games, and the game β€œHeroes of the Storm”.
  • Improved detection of traffic from search bots.
  • Improved parsing and identification of protocols and services:
    • Gnutella
    • H323
    • HTTP
    • Hangout
    • MS teams
    • Alibaba
    • MGCP
    • Steam
    • MySQL
    • Zabbix
  • The range of identified network threats and problems associated with the risk of compromise (flow risk) has been expanded. Added support for new threat types: NDPI_MALWARE_HOST_CONTACTED and NDPI_TLS_ALPN_SNI_MISMATCH.
  • Fuzzing testing was organized to identify reliability problems.
  • Fixed build issues on FreeBSD.

Source: opennet.ru

Add a comment