ntop/nDPI 5.0

5.0 Stable

on GitHub

nDPI 5.0 (Nov 2025)

Major Changes

• Create a new nDPI fingerprint, combining TCP fingerprint, JA4 fingepriint and TLS SHA1 certificate (or JA3S if SHA1 is missing). See: https://www.ntop.org/beyond-ja3-ja4-introducing-ndpi-traffic-fingerprint/
• Add detection of (TLS/QUIC/HTTP) flows whose hostname was not previously resolved via DNS. See: https://www.ntop.org/when-snis-cannot-be-trusted/
• Add support for an unlimited number of (custom) protocols. See #2136
• Extend custom rules (see https://github.com/ntop/nDPI/blob/dev/example/protos.txt for some examples):
  • match via JA4 (087726d)
  • match via nDPI fingerprint (7c53fcd)
  • match via HTTP URL (5abe185, #3014)
  • support for category and breed in custom rules (#2872)

Important API Changes

• Building system: you need to explicitly call configure script: ./autogen.sh && ./configure --$OPTIONS & make. See: #2993
• Remove ndpi_set_protocol_detection_bitmask2(): all protocols are enabled by default. If you need to disable some protocols you can use the usual ndpi_set_config()
• The defines NDPI_MAX_SUPPORTED_PROTOCOLS and NDPI_MAX_NUM_CUSTOM_PROTOCOLS have been removed: the number of protocols should be gotten only at runtime, via ndpi_get_num_protocols()
• Remove NDPI_PROTOCOL_BITMASK (because its size is hardcoded to 512). Create a new structure, ndpi_bitmask, where the max number of bits is specified at runtime
• Change the return parameter of ndpi_detection_process_packet(); get rid of ndpi_extra_dissection_possible(). See: #2942
• Remove NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_LLM and NDPI_PROTOCOL_ADS_ANALYTICS_TRACK because they are not real protocol: keep only the categories with a similar name
• Modify the API to set a custom memory allocator
• Added ability to export host-based configuration (#3022)

Further information are available at #2862

New Supported Protocols and Services

• Add Microsoft Delivery Optimization in #2799
• Add Rockstar Games in #2805
• Add kick.com in #2813
• Remove World Of Kung Fu in #2815
• Remove Vhua #2816
• Rename Lotus Notes & Ubuntu One in #2817
• Remove Half-Life 2 in #2819
• Remove Warcraft 3 (pre Reforged) in #2826
• Add MELSEC in #2846
• Add Hamachi in #2860
• Add GLBP in #2879
• Added EasyWeather in #2912
• Add Blacknut, Boosteroid and Rumble in #2907
• Add Mudfish in #2932
• Add TriStation #2964
• Add Samsung SDP in #2966
• Add Matter in #2957
• Add new protocols for Amazon/AWS sub-classification in #2975
• Add ESPN in #2980
• Add Akamai in d694468
• Add ~30 new categories in 6dda483 and 99f94b9
• Remove NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_LLM and NDPI_PROTOCOL_ADS_ANALYTICS_TRACK because they are not real protocol: keep only the similar categories. See: 3a243bb, #2900

Further information are available at https://github.com/ntop/nDPI/blob/dev/doc/protocols.rst

New features

• Add support for out-of-tree builds (#2993)
• Provide an explicit state for the flow classification process (#2942)
• Add the concept of protocols stack: more than 2 protocols in the flow classification (#2913)
• Add detection of flows where there is a mismatch between the numeric flow server IP address and the known IPs for such protocol. It is still a work-in-progress

New algorithms

• New API functions to encode/decode hex strings: ndpi_hex_encode(), ndpi_hex_decode() in 74f5e0e
• New ranking detection API to determine rank changes: ndpi_init_ranking(), ndpi_term_ranking(), ndpi_serialize_ranking(), ndpi_deserialize_ranking(), ndpi_ranking_add_epoch()

New configuration knobs

Further information are available at https://github.com/ntop/nDPI/blob/dev/doc/configuration_parameters.md

• hostname_dns_check: enable/disable detection of flows (TLS/QUIC/HTTP) whose hostname was not previously resolved via DNS
• metadata.tcp_fingerprint: enable/disable computation and export of raw TCP fingerprint
• metadata.tcp_fingerprint_format: format of the TCP fingerprint. 0 = native nDPI format, 1 = MuonOF (see: https://github.com/sundruid/muonfp)
• http,metadata.resp.content_type: enable/disable export of Content Type (response) header for HTTP flows
• http,metadata.resp.server: enable/disable export of Server (request) header for HTTP flows
• tls,blocks_analysis: enable/disable analysis of TLS blocks size

Improvements

• Improved protocol guess in b8dc84f
• STUN: set default port for TCP, too in #2804
• Add VK Video domain in #2809
• Update Threema and VK ASN lists in febcc7e
• Micro-optimizations of ndpi_strncasestr and 'LINE_*' macros in #2808
• Improve Ubiquiti device discovery request/response detection in #2810
• Add raw tcp fingerprint to json in #2812
• Improve Source Engine protocol detection in #2819
• RTSP: simplify detection in #2822
• TLS: register TLS dissector only once in #2825
• Flow: keep track of "dissectors" in #2828
• Gnutella: simplify code, to support only gtk-gnutella client in #2830
• Minor simplification on protocol/dissector registration in #2833
• Added new API calls: ndpi_is_master_only_protocol(), ndpi_normalize_protocol() in c590dc4
• CrossFire: update code in #2834
• Another minor simplification on protocol/dissector registration in #2835
• Drop GW1 support and add basic GW2 detection in #2836
• ospf, ipsec: use different ids for protocols at layer3 in #2838
• Add new Adjust domains in #2841
• VRRP: add missing dissector registration in #2842
• Improve BFCP detection in #2844
• Simplify ZeroMQ detection in #2847
• A new interface for dissectors registration in #2843
• Add ndpi_memcasecmp, refactor mail protocol dissectors in #2849
• ndpi_flow_tcp_struct refactoring in #2848
• Dofus: update detection to version 3.X in #2852
• Better separation between "protocols" and "dissectors" in #2855
• Allow to specify default ports also via range in #2856
• Improved detection of TCP scanners in 9e5a67f
• Add ndpi_load_protocols_dir() API call for loading IP-based protocol detection in 2e679ba
• Updated bots and scanners list in 2e679ba
• New API to enable/disable protocols; remove ndpi_set_protocol_detection_bitmask2() in #2853
• First step into a dynamic number of protocols in #2857
• Hamachi: improve handshake check in #2861
• Remove ndpi_set_proto_defaults() from the API in #2863
• Split ndpi_set_proto_defaults() logic in #2864
• Add a configuration to test a huge number of custom protocols in #2865
• Improved HTTP risk message report in ed6f257
• Speed up protocol lookup in ndpi_get_proto_by_name() in #2867
• Speed up category lookup in ndpi_get_category_id() in #2869
• Add ndpi_get_breed_by_name() in #2870
• Dynamic allocation of ndpi_struct->proto_defaults[] in #2866
• Added IMO and Badoo files in 38cc4ac
• Normalize breed/category names: use _ instead of spaces and slashes in #2873
• Remove NDPI_PROTOCOL_BITMASK; add a new generic bitmask data structure in #2871
• Improved HTTP risk report in 2a77c58
• Simplify ndpi_internal_detection_process_packet() in #2877
• Rework sanity checks and remove some functions from API in #2882
• Check ndpi_finalize_initialization() return value in #2884
• Prelimary work to remove NDPI_LAST_IMPLEMENTED_PROTOCOL in #2885
• Move dissectors initialization to ndpi_finalize_initialization() in #2886
• Faster configuration in #2887
• Rework ndpi_init_detection_module_ext() in #2888
• Rework default ports initialization in #2893
• fuzz: fuzz loading of external protocols lists in #2897
• New API to enable/disable protocols. Removed NDPI_LAST_IMPLEMENTED_PROTOCOL in #2894
• Create a wrapper to check for NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT risk in #2898
• If NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT risk is disabled, avoid some work in #2899
• STUN: don't check NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT flow risk in #2901
• Bittorrent: update default ports in #2902
• Rework classification in ndpi_match_host_subprotocol()-like functions in #2910
• Add auto-updating cryptocurrency mining pool lists in #2891
• websocket: ndpi_set_detected_protocol() should be called only once in #2911
• Refactor: make src_name/dst_name dynamically allocated to reduce RAM usage in struct ndpi_flow_info in #2908
• Add some domains with generic Game category in #2930
• Added ability to enable DNS cache via API in db37bec
• Improved ndpi_is_valid_hostname() and changed its prototype (now it returns a bool) in 9e5a7bd
• Implemented nDPI fingerprint that is computed using TCP fingerprint, JA4 fingepriint, TLS SHA1 certificate (if present), or JA3S fingerprint (is SHA1 is missing) in 11d74ea, #2961, #3002
• Initial (WiP/basic) implementation of the ranking detection API used to determine rank changes in a6e2b4e, 2b64ac7, df94d7e, 52ce501, 15f8dad
• croaring: update to 4.3.6 (from 3.0.0) in #2934
• fuzz: add new fuzzers for bitmask and filter data structures in #2937
• Rework flow breed in #2926
• Update CryNetwork protocol dissector in #2959
• Added checks on TLS key_share and supported_groups in 37562c6, #2963, #2967
• Improved CryNetwork disector; detect "special" packets in #2965
• Use const for some IPv6 structs used as fn args in #2969
• HTTP: add further configuration to enable/disable metadata extraction in #2972
• Updated fingerprint for macOS in 02a92e3
• Improved Telnet detection. Fixes #2936 in #2982
• We are not interested into entropy for encrypted flows in #2983
• Add statistics about hash data structures in #2995
• Improved Android classification in cb9e63f
• Added NDPI_MISMATCHING_PROTOCOL_WITH_IP flow risk in d694468
• Added wildcard mapping support in categories in eca94a4
• Extend values saved in hash data structure to u_int64_t in #3013
• Added TLS Block Analysis in #3016
• Update every lists in #3017

Bug Fixes

• CentOS compilation fix in febcc7e
• Fix classification when non tcp/udp protocols are disabled in #2824
• Remove duplicate ALPS extension in #2821
• uthash: use ndpi wrappers for memory allocation in #2829
• Gnutella: avoid false positives in #2832
• Fix isAppProtocol for GTP_U in #2837
• IPP: fix selection bitmask in #2845
• Fix some warnings reported by scan-build in #2851
• BFCP: fix check on payload length and extract metadata in #2854
• Fix configuration of ip lists of flow risks in #2859
• Fixes invalid SSH client/server detection based on stage and not on packet direction in 38fe985
• TCP fingerprint: fix an heap-buffer-overflow in #2876
• Fix heap-buffer-overflow in #2896
• Viber: fix category in 64ea82c
• ndpiReader: fix check on max number of packets per flow in 06a49b4
• Fix segfault on -m option: safely reuse/reset stats between iterations (#2903) in #2904
• Fix logic: reset stats once per thread after clearing all flow roots in #2905
• Fix classification with nBPF rules in ed1e6e2
• Fix ndpi_reconcile_protocols() with classification by port/ip in 898135b
• Jabber: proper subclassification of TruePhone in e5dbe83
• Fix JA4 fingerprinting in #2915
• Converts a host to a domain name to avoid mismatch when mixing domains with hosts in 6785ae3
• Fix corner cases for custom protocols and TCP fingerprint in #2919
• Bittorrent: fix breed value in a79e558
• Google, Signal: fix breed value in #2920
• Whois/DAS: avoid false positives in #2925
• MS domain lists: avoid duplicates in #2928
• Z39.50: avoid false positives in #2938
• Fix the crash issue during protocol guessing in multi-core scenarios in #2939
• Add fix to allow hosts and domains match when using protos.txt in 80b5c59
• SSH: fix extraction of client identification string in #2949
• Fixed risk typ0 in #2952
• Fix string truncation warning in #2954
• SSDP: fix extraction of SNI in #2955
• Fix (clang) linker issue cuased by missing 'static inline's in #2956
• Fix roaring_v2 build issue if compiling with -Werrror -Wall -Wextra -fno-inline in #2958
• Fix JSON value "amount of TLS blocks" in tls2json if dissected protocol is QUIC in #2960
• WindowsUpdate: fix category and flow risk (over HTTP) in #2973
• Fix ndpi_is_valid_hostname() in #2974
• Check ndpi_init_deserializer_buf params in 7b8b1eb
• Proper handling of internal/external ids in FPC; fix FPC with custom rules in #3007
• Fixes invalid initialization that caused the two commands below to return different results in 79b7411
• Proper handling of internal/external ids in ndpi_detection_giveup() in 9a925ab
• Proper handling of internal/external ids in FPC; fix FPC with custom rules (#3007)
• Fix FPC confidence with custom rules in #3008
• Fix flow risks with custom rules in #3010
• Fix broken header install in #3012

Misc

• Fix unit test compilation on Window in #2802
• Fix python dev requirements installation command in #2800
• Remove ProtonVPN address lists in #2831 and #2811
• Update/Improve documentation in #2820, #2984, #2985
• Fix README.md in #2840
• A new attempt to improve public documentation in #2881
• fuzz: make allocation failures a bit more unlikely in 2b14b46
• ndpiReader: print categories summary in #2895
• Added simple tool hosts2domains used to extract domain names from hostnames written on a text file in 16f332e
• Build tests in oss-fuzz in #2918
• ndpiReader: add breed to flow information in #2924
• ndpiReader: improve debug option '-x' to test category matches in 6a32283
• Added utility to print content of rank files in d20f4bb
• fuzz: improve per-fuzzer introspector statistics in #2970
• CI: update macOS runners in #2971
• Rocky10 fixes in 560e5c9
• Automatically update the ip list of ChatGPT bots in #2977
• ndpiReader: quick test for a list of domains in #2978
• configure: avoid compiling rrdtool if --with-only-libndpi is set in #2987
• ndpiReader: fix memory accounting in #2988
• fuzz: simplify Makefile in #2991
• configure: improve roaring version detection in #2989
• Fix library installation path duplication (issue #1971) in #2986
• Fix CI RPM build (switch to Alma Linux 8). Fix #2997 in #3001
• fuzz: keep only real/interesting corpora in #3009

New Contributors

• @lodagro made their first contribution in #2800
• @funesca made their first contribution in #2812
• @kriztalz made their first contribution in #2821
• @bhaskarbhar made their first contribution in #2840
• @TEA-CoderR made their first contribution in #2891
• @kalindafab made their first contribution in #2907
• @drnpkr made their first contribution in #2915
• @AdamKorcz made their first contribution in #2918
• @fanxb made their first contribution in #2939

Full Changelog: 4.14...5.0