nDPI® is an open source LGPLv3 library for deep-packet inspection.
A generic FAQ about nDPI® is available here
In order to compile this project do
- ./autogen.sh
- make
To compile the library w/o any tools or tests:
- ./autogen.sh --with-only-libndpi
- make
To run tests do additionally:
- ./tests/do.sh # Generate and check for diff's in PCAP files
- ./tests/do-unit.sh # Run unit tests
- ./tests/do-dga.sh # Run DGA detection test
or run all with: make check
Please note that the (minimal) pre-requisites for compilation include:
- GNU tools (autoconf automake libtool pkg-config gettext flex bison)
- GNU C compiler (gcc) or Clang
On Debian/Ubuntu systems do:
- sudo apt-get install build-essential git gettext flex bison libtool autoconf automake pkg-config libpcap-dev libjson-c-dev libnuma-dev libpcre2-dev libmaxminddb-dev librrd-dev
On Arch Linux:
- sudo pacman -S gcc git gettext flex bison libtool autoconf automake pkg-config libpcap json-c numactl pcre2 libmaxminddb rrdtool
On FreeBSD:
- sudo pkg install gcc git gettext flex bison libtool autoconf automake devel/pkgconf gmake libpcap json-c pcre2 libmaxminddb rrdtool
Remember to use gmake and not make on FreeBSD
On MacOS:
- brew install coreutils gcc git gettext flex bison libtool autoconf automake pkg-config libpcap json-c pcre2 libmaxminddb rrdtool
On Windows:
There are three supported ways to build nDPI:
- MSYS2 (assuming MSYS2 already installed):
- msys2 -c "pacman --noconfirm -S --needed --overwrite '*' git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool make mingw-w64-x86_64-json-c mingw-w64-x86_64-crt-git mingw-w64-x86_64-pcre2 mingw-w64-x86_64-libpcap"
-
Mingw-w64
-
Visual Studio (see
windows/nDPI.sln)
Note: All Windows versions require npcap with WinPcap compatibility mode enabled.
- pip install --upgrade pip
- pip install -r doc/requirements.txt
- make doc
Use the builtin python3 webserver to view documentation:
- make doc-view
The entire procedure of adding new protocols in detail:
- Add new protocol together with its unique ID to:
src/include/ndpi_protocol_ids.h - Create a new protocol in:
src/lib/protocols/ - Variables to be kept for the duration of the entire flow (as state variables) need to be placed in:
src/include/ndpi_typedefs.hinndpi_flow_tcp_struct(for TCP only),ndpi_flow_udp_struct(for UDP only), orndpi_flow_struct(for both). - Add a new entry for the search function for the new protocol in:
src/include/ndpi_protocols.h - Choose (do not change anything) a selection bitmask from:
src/include/ndpi_define.h - Set protocol default ports in
ndpi_init_protocol_defaultsin:src/lib/ndpi_main.c - Be sure to have nBPF support, cloning
PF_RINGin the same directory where you clonednDPI:git clone https://github.com/ntop/PF_RING/ && cd PF_RING/userland/nbpf && ./configure && make. You can ignore the/bin/sh: 1: ../lib/pfring_config: not founderror - From the
nDPIroot directory,./autogen.sh --with-pcre2(nBPF and PCRE2 are usually optional, but they are needed to run/update all the unit tests) makemake check- Update the documentation, adding this new protocol to
doc/protocols.rst - Update the Windows Visual Studio configuration, adding the new c file in
windows/nDPI.vcxproj
You can use nDPI to selectively block selected Internet traffic by embedding it onto an application (remember that nDPI is just a library). Both ntopng and nProbe cento can do this.
- Deri, Luca, et al. nDPI: Open-source high-speed deep packet inspection 2014 International Wireless Communications and Mobile Computing Conference (IWCMC). IEEE, 2014.
- Using nDPI for Monitoring and Security
- Network Traffic Classification for Cybersecurity and Monitoring
While we do our best to detect network protocols, we cannot guarantee that our software is error free and 100% accurate in protocol detection. Please make sure that you respect the privacy of users and you have proper authorization to listen, capture and inspect network traffic.
nDPI is a registered trademark in the US and EU.