nDPI 4.6 arrives with support for new protocols, services and more

Darkcrizt

4 minutes

nDPI

nDPI® is an open source LGPLv3 library for deep packet inspection. Based on OpenDPI, includes ntop extensions.

The release of the new version of nDPI 4.6 which introduces several improvements, as well as support for more protocols and robustness thanks to the fuzzing code introduced in this version. Protocol metadata extraction has been improved across several protocols, as has DGA detection in hostnames, among other things.

nDPI It is characterized by being used by both ntop and nProbe to add the detection of protocols at the application layer, regardless of the port being used. This means that it is possible to detect known protocols on non-standard ports.

The project allows you to determine the application-level protocols used in the traffic by analyzing the nature of network activity without binding to network ports (you can determine known protocols whose drivers accept connections on non-standard network ports, for example if http is sent not from port 80, or, conversely, when they try to camouflage other network activity such as http running on port 80).

Main new features of nDPI 4.6

In the new release of nDPI 4.6, provided ability to define custom protocols using nBPF filters (for example: 'nbpf:»host 192.168.1.1 and port 80″@HomeRouter').

Also traffic analysis performance has been greatly improved, as well as the detection of WebShell and PHP code in HTTP URLs and the definition of DGA (Domain Generational Algorithm).

The range of detected network threats and issues has been expanded associated with commitment risk (flow risk). Added support for new threat types: NDPI_HTTP_OBSOLETE_SERVER (detects old versions of Apache and nginx), NDPI_PERIODIC_FLOW, NDPI_MINOR_ISSUES, NDPI_TCP_ISSUES.

Another novelty that is presented in this new version are the fuzzing tests implemented along with improved checking of AES-NI instructions and improvements made to data serialization in JSON format.

On the other hand, it is also highlighted that added stats for Patricia, Ahocarasick and LRU cache, as well as configurable LRU cache entry aging logic, support for RTP streams to stream metadata, and the ndpiReader utility implements support for the Linux Cooked Capture v2 protocol.

On the part of the support additions for protocols and services:

  • Activision
  • AliCloud server access
  • Avast
  • CryNetwork
  • Anydesk
  • Bittorrent (fix confidence, detection over TCP)
  • DNS, add ability to decode DNS PTR records used for reverse address resolution
  • DTLS (handle certificate fragments)
  • Facebook VoIP calls
  • FastCGI (dissect PARAMS)
  • FortiClient (update default ports)
  • Discord
  • edns
  • Elasticsearch
  • FastCGI
  • Kismet
  • Liane App and Line VoIP calls
  • Meraki Cloud
  • muanin
  • NATPMP
  • HTTP subclassification
  • Check for empty/missing user-agent in HTTP
  • IRC (credentials check)
  • Jabber / XMPP
  • Kerberos (support for Krb-Error messages)
  • LDAP
  • MGCP
  • MONGODB (avoid false positives)
  • syncthing
  • TP-LINK Smart Home
  • YOURS LAN
  • SoftEtherVPN
  • tailscale
  • TiVoConnect
  • SNMP
  • SMB (support for messages split into multiple TCP segments)
  • SMTP (support for X-ANONYMOUSTLS command)
  • STUN
  • SKYPE (improve detection over UDP, remove detection over TCP)
  • Teamspeak3 (License/Weblist detection)
  • Threema Messenger
  • Zoom
  • Add Zoom screen share detection
  • Add detection of Zoom peer-to-peer flows in STUN
  • Hangout/Duo Voip calls detection, optimize lookups in the protocol tree
  • HTTP
  • Handling of HTTP-Proxy and HTTP-Connect
  • Postgres
  • POP3
  • QUIC (support for 0-RTT packets received before the initial)
  • Snapchat VoIP calls

Finally if you are interested in knowing more about it About this new version, you can check the details in the following link

How to install nDPI on Linux?

For those who are interested in being able to install this tool on their system, they can do so by following the instructions that we share below.

In order to install the tool, we must download the source code and compile it, but before that if they are Debian, Ubuntu or derivative users Of these, we must first install the following:

sudo apt-get install build-essential git gettext flex bison libtool autoconf automake pkg-config libpcap-dev libjson-c-dev libnuma-dev libpcre2-dev libmaxminddb-dev librrd-dev

In the case of those that are Arch Linux users:

sudo pacman -S gcc git gettext flex bison libtool autoconf automake pkg-config libpcap json-c numactl pcre2 libmaxminddb rrdtool

Now, in order to compile, we must download the source code, which you can obtain by typing:

git clone https://github.com/ntop/nDPI.git

cd nDPI

And we proceed to compile the tool by typing:

./autogen.sh
make

If you are interested in knowing more about the use of the tool, you can check the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.