nDPI——Open and Extensible GPLv3 Deep Packet Inspection Library.

nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

We are continuously extending nDPI and so (as of April 2012) far following protocols are supported:

• FTP
• POP
• SMTP
• IMAP
• DNS
• IPP
• HTTP
• MDNS
• NTP
• NETBIOS
• NFS
• SSDP
• BGP
• SNMP
• XDMCP
• SMB
• SYSLOG
• DHCP
• PostgreSQL
• MySQL
• TDS
• DirectDownloadLink
• I23V5
• AppleJuice
• DirectConnect
• Socrates
• WinMX
• MANOLITO
• PANDO
• Filetopia
• iMESH
• Kontiki
• OpenFT
• Kazaa/Fasttrack
• Gnutella
• eDonkey
• Bittorrent (Extended)
• OFF
• AVI
• Flash
• OGG
• MPEG
• QuickTime
• RealMedia
• Windowsmedia
• MMS
• XBOX
• QQ
• MOVE
• RTSP
• Feidian
• Icecast
• PPLive
• PPStream
• Zattoo
• SHOUTCast
• SopCast
• TVAnts
• TVUplayer
• VeohTV
• QQLive
• Thunder/Webthunder
• Soulseek
• GaduGadu
• IRC
• Popo
• Jabber
• MSN
• Oscar
• Yahoo
• Battlefield
• Quake
• Second Life
• Steam
• Halflife2
• World of Warcraft
• Telnet
• STUN
• IPSEC
• GRE
• ICMP
• IGMP
• EGP
• SCTP
• OSPF
• IP in IP
• RTP
• RDP
• VNC
• PCAnywhere
• SSL
• SSH
• USENET
• MGCP
• IAX
• TFTP
• AFP
• StealthNet
• Aimini
• SIP
• Truphone
• ICMPv6
• DHCPv6
• Armagetron
• CrossFire
• Dofus
• Fiesta
• Florensia
• Guildwars
• HTTP Application Activesync
• Kerberos
• LDAP
• MapleStory
• msSQL
• PPTP
• WARCRAFT3
• World of Kung Fu
• MEEBO
•  FaceBook
•  Twitter
•  DropBox
•  Gmail
•  Google Maps
•  YouTube
•  Skype
•  Google
•  DCE RPC
•  NetFlow_IPFIX
•  sFlow
•  HTTP Connect (SSL over HTTP)
•  HTTP Proxy
•  Netflix
•  Citrix
•  CitrixOnline/GotoMeeting
•  Apple (iMessage, FaceTime…)
•  Webex
•  WhatsApp
•  Apple iCloud
•  Viber
•  Apple iTunes
•  Radius

Handling Encrypted Content

---

The trend of Internet traffic is going towards encrypted content often using SSL. In order to let nDPI support encrypted connections, we have added a decoder for SSL (both client and server) certificates, thus we can figure out the protocol using the encryption certificate. This allows us to identify protocols such as Citrix Online and Apple iCloud that otherwise would be undetected.

Download Source

---

nDPI is automatically downloaded when you build ntop and nProbe. However nothing prevents you from using it as a standalone DPI library. The source code can be downloaded from the ntop SVN.

Please Contribute!

---

DPI is a time-consuming activity as protocols (in particular P2P) change quite often. This means that it’s necessary to update the code from time to time and add extensions. We would encourage anyone out there to help us adding or enhancing new protocols: we will put your contributions on our SVN and make them available to everyone free of charge. In fact the main reason why we decided to go for nDPI instead of using the original library, is that the company behind OpenDPI has never replied to our offers to merge the extensions we coded onto the original source code.