The ntop project developers (who develop tools to capture and analyze traffic) they made known recently released the new version of nDPI, which is an ongoing maintenance superset of the popular OpenDP library.
nDPI It is characterized by being used by both ntop and nProbe to add the detection of protocols at the application layer, regardless of the port being used. This means that it is possible to detect known protocols on non-standard ports.
The project allows you to determine the application-level protocols used in the traffic by analyzing the nature of network activity without binding to network ports (you can determine known protocols whose drivers accept connections on non-standard network ports, for example if http is sent not from port 80, or, conversely, when they try to camouflage other network activity such as http running on port 80).
Differences with OpenDPI boil down to support for additional protocols, portability for the Windows platform, performance optimization, adaptation for use in applications to monitor traffic in real time (some specific features that slowed down the engine have been removed), build capabilities in the form of a Linux kernel module and support for defining sub-protocols.
In total, 247 application and protocol definitions are supported, of which the following stand out: FTP_CONTROL, POP3, SMTP, IMAP, DNS, HTTP, NetBIOS, NFS, SNMP, XDMCP, Syslog, DHCP, PostgreSQL, MySQL, Hotmail, Direct_Download_Link, POPS, VMware, SMTPS, FacebookZero, UBNTAC2, OpenFT, Gnutella, eDonkey , Skype, Signal, Xbox, ShoutCast, IRC, Ayiya, Unencrypted_Jabber, Yahoo, Telnet, VNC, Dropbox, GMail, YouTube, TeamViewer, UPnP, Spotify, OpenVPN, CiscoVPN, Deezer, Instagram, Microsoft, Google Drive, Cloudflare, MS_OneDrive, OpenDNS, Git, Pastebin, LinkedIn, SoundCloud, Amazon Video, Google Docs, WhatsApp Files, Targus Dataspeed, Zabbix, WebSocket, among others.
Main new features of nDPI 4.0
As for the novelties that are presented in this new version 4.0, it has been boosted in terms of speed with an improvement of 2.5 with respect to the 3.x series.
On the part of the changes, we can find that it was implemented support for improved JA3 + TLS client identification method, which allows, based on the connection negotiation characteristics and specified parameters, to determine what software is used to establish a connection (for example, it allows to determine the use of Tor and other typical applications).
Also the number of detections of network threats and problems associated with compromise risk has been expanded (flow risk) to 33, plus new desktop and file sharing related threat identifiers added, suspicious HTTP traffic, malicious JA3 and SHA1, access to problematic domains and autonomous systems, use of certificates in TLS with suspicious extensions or expiration dates too long.
We can also find that more support for protocols and services has been added, of which we can now find: AmongUs, AVAST SecureDNS, CPHA (CheckPoint High Availability Protocol), DisneyPlus, DTLS, Genshin Impact, HP Virtual Machine Group Management (hpvirtgrp), Mongodb, Pinterest, Reddit, Snapchat VoIP, Tumblr, Virtual Asssitant ( Alexa, Siri), Z39.50.
While for screening and screening services that were improved in this new version are mentioned: AnyDesk, DNS, Hulu, DCE / RPC, dnscrypt, Facebook, Fortigate, FTP Control, HTTP, IEC104, IEC60870, IRC, Netbios, Netflix, Ookla speedtest, openspeedtest.com, Outlook / MicrosoftMail, QUIC, RTSP protocols, RTSP over HTTP, SNMP, Skype, SSH, Steam, STUN, TeamViewer, TOR, TLS, UPnP, wireguard.
Of the other changes that stand out of the new version:
- Improved support for encrypted traffic analysis (ETA) methods.
- Unlike the previously supported JA3 method, JA3 + has fewer false positives.
- Significant performance optimization has been carried out, compared to the 3.0 branch, the traffic processing speed has been increased by 2.5 times.
- GeoIP support was added to determine location by IP address.
- Added API to calculate RSI (Relative Strength Index).
- Fragmentation controls have been implemented.
- Added API to calculate flow uniformity (jitter).
Finally if you are interested in knowing more about it, you can check the details In the following link.