The ntop project, which develops tools for capturing and analyzing traffic, has published tools for deep packet inspection nDPI 5.0, which continues the development of the OpenDPI library. The nDPI project was founded after an unsuccessful attempt to push changes to the repository OpenDPI, which was left unmaintained. The nDPI code is written in C language and is distributed under the LGPLv3 license.
The system allows to determine the application-level protocols used in the traffic, analyzing the nature network activity without being tied to network ports. Differences from OpenDPI come down to support for additional protocols, porting for the Windows platform, performance optimization, adaptation for use in traffic monitoring applications in real time, assembly capabilities in the form of a Linux kernel module, and support for identifying subprotocols.
Supports detection of 56 types of network threats and more than 450 protocols and applications. There is a server and client SSL certificate decoder that allows you to determine the protocol using the encryption certificate. To analyze the contents of pcap dumps or current traffic via the network interface, the nDPIreader utility is supplied.
In the new release:
- Implemented a universal mechanism for identifying traffic, combining in one traffic marker metadata about TCP fingerprints, TLS certificate hashes and JA4 identifiers for identifying network protocols and applications. The new mechanism allows you to more accurately identify and compare encrypted or obfuscated traffic.
- Added the ability to identify TLS, QUIC and HTTP streams that contain host names that were not previously resolved through DNS. Such activity can be used to identify anomalies, hidden data transmission channels, and filtering bypass methods.