nDPI 4.6 (Feb 2023)
New Features
- New support for custom BPF protocol definition using nBPF (see example/protos.txt)
- Improved dissection performace
- Added fuzzing all over
New Supported Protocols and Services
- Add protocol detection for:
- Activision
- AliCloud server access
- AVAST
- CryNetwork
- Discord
- EDNS
- Elasticsearch
- FastCGI
- Kismet
- Line App and Line Voip valls
- Meraki Cloud
- Munin
- NATPMP
- Syncthing
- TP-LINK Smart Home
- TUYA LAN
- SoftEther VPN
- Tailscale
- TiVoConnect
Improvements
- Improve protocol detection for:
- Anydesk
- Bittorrent (fix confidence, detection over TCP)
- DNS, add ability to decode DNS PTR records used for reverse address resolution
- DTLS (handle certificate fragments)
- Facebook Voip calls
- FastCGI (dissect PARAMS)
- FortiClient (update default ports)
- Zoom
- Add Zoom screen share detection
- Add detection of Zoom peer-to-peer flows in STUN
- Hangout/Duo Voip calls detection, optimize lookups in the protocol tree
- HTTP
- Handling of HTTP-Proxy and HTTP-Connect
- HTTP subclassification
- Check for empty/missing user-agent in HTTP
- IRC (credentials check)
- Jabber/XMPP
- Kerberos (support for Krb-Error messages)
- LDAP
- MGCP
- MONGODB (avoid false positives)
- Postgres
- POP3
- QUIC (support for 0-RTT packets received before the initial)
- Snapchat Voip calls
- SIP
- SNMP
- SMB (support for messages split into multiple TCP segments)
- SMTP (support for X-ANONYMOUSTLS command)
- STUN
- SKYPE (improve detection over UDP, remove detection over TCP)
- Teamspeak3 (License/Weblist detection)
- Threema Messenger
- TINC (avoid processing SYN packets)
- TLS
- improve reassembler
- handling of ALPN(s) and subclassification
- ignore invalid Content Type values
- WindowsUpdate
- Add flow risk:
- NDPI_HTTP_OBSOLETE_SERVER
- NDPI_MINOR_ISSUES (generic/relevant information about issues found on traffic)
- NDPI_HTTP_OBSOLETE_SERVER (Apache and nginx are supported)
- NDPI_PERIODIC_FLOW (reserved bit to be used by apps based on nDPI)
- NDPI_TCP_ISSUES
- Improve detection of WebShell and PHP code in HTTP URLs that is reported via flow risk
- Improve DGA detection
- Improve AES-NI check
- Improve nDPI JSON serialization
- Improve export/print of L4 protocol information
- Improve connection refused detection
- Add statistics for Patricia tree, Ahocarasick automa, LRU cache
- Add a generic (optional and configurable) expiration logic in LRU caches
- Add RTP stream type in flow metadata
- LRU cache is now IPv6 aware
Tools
- ndpiReader
- Add support for Linux Cooked Capture v2
- Fix packet dissection (CAPWAP and TSO)
- Fix Discarded bytes statistics
Fixes
- Fix classification by-port
- Fix exclusion of DTLS protocol
- Fix undefined-behaviour in ahocorasick callback
- Fix infinite loop when a custom rule has port 65535
- Fix undefined-behavior when setting empty user-agent
- Fix infinite loop in DNS dissector (due to an integer overflow)
- Fix JSON export of IPv6 addresses
- Fix memory corruptions in Bittorrent, HTTP, SoftEther, Florensia, QUIC, IRC, TFTP dissectors
- Fix stop of extra dissection in HTTP, Bittorrent, Kerberos
- Fix signed integer overflow in ASN1/BER dissector
- Fix char/uchar bug in ahocorasick
- Fix endianess in IP-Port lookup
- Fix FastCGI memory allocation issue
- Fix metadata extraction in NAT-PMP
- Fix invalid unidirectional traffic alert for unidirectional protocols (e.g. sFlow)
Misc
- Support for Rocky Linux 9
- Enhance fuzzers to test nDPI configurations, memory allocation failures, serialization/deserialization, algorithms and data structures
- GitHub Actions: update to Node.js 16
- Size of LRU caches is now configurable