NDPI Quick Start Guide

NDPI Quick Start Guide

This is a translation of the Official document Ndpi-quick Start Guide for ndpi, because the document is too old (13), so some interfaces have changed and I will update these outdated interfaces based on Version2.0. Because the level is limited, the translation, the repair content does not guarantee certain accurate, everybody best to start after the control source reads carefully again.

Catalogue

1. Introduction ......................................................................................................................... ........... 4

2.nDPI Library ..................................................................................................................... ................ 5

3. Example ......................................................................................................................... ............ 8

4API NDPI ......................................................................................................................... ............ Ten

1. Introduction

NDPI is a DPI library developed from OPENDPI and is now maintained by the NTOP organization.

To provide you with a cross-platform DPI experience, NDPI supports both Windows (and Mac), in addition to supporting UNIX platforms. In order to make the ndpi more suitable for traffic monitoring, we will continue to optimize, such as when the presence of network traffic monitoring is not necessary, but slow down the functionality of the DPI engine, you can perform the shutdown.

Regardless of which port is used, the NDPI can detect the actual application-layer protocol. This means that you can detect both protocols running on nonstandard ports (e.g probes for HTTP traffic running on non-80 ports), and other protocols running on a standard port (e.g probes for Skype traffic running on port 80). This is because the concept of ports associated with protocols has now been broken.

Over the past few months, we have added several features to the NDPI:

An enhanced demo named Ndpireader

Can be compiled into kernel to become a module that makes it more efficient

The recognition speed has been improved from all aspects, and now ndpi in this respect far more than the previous generation of opendpi

A large number of protocol support has been added (more than 180 protocols have been supported so far), ranging from business-class protocols such as SAP and Citrix to desktop protocols such as Dropbox and Spotify

The protocol detection based on port (port range) can be defined, which enriches the traditional port-based detection method only.

To enable NDPI to support probing encrypted connections, we added a decoder for SSL (both client and server) to identify the protocols that used the encryption certificate. This allows us to identify protocols that were previously undetectable, such as Citrix and Appleicloud.

By using some additional string matching methods, we can support the identification of some common application sub-protocols

1.1 code Download

The ndpi will be downloaded automatically as you build ntop and Nprobe. It can also be used as a standalone DPI library, and the source code can be downloaded via Gitclone https://github.com/ntop/nDPI.git.

2.nDPI Library

2.1 compiling NDPI Source Code

Using the NDPI library is simple. This library is compiled with the following tools and components to rely on:

Gnuautotools/libtool

Gawk

Gcc

Libpcap or pf_ring (although optional, but very recommended)

The installation method is related to the platform and the distribution, here are some examples:

Ubuntu/debian #apt-get Install build-essential

#apt-get install git autoconf automake autogen libpcap-dev libtool

Fedora/centos #yum Groupinstall "Development tools"

#yum install git autoconf automake autogen libpcap-devel libtool

MacOSX (using http://brew.sh) # Brew install autoconf automake libtool git

FreeBSD #pkg Install autoconf automake libtool gmake git

After you have installed the dependent tools, you can compile the ndpi with the following set of commands:

#./autogen.sh

#make

2.2 compiling Demo program Ndpireader the source code

The Version2.0 version compiles the Ndpireader in the example directory by default when you execute make in the project directory

2.3ndpiReader the command-line options

The following is a list of valid options for the demo program and the corresponding simple explanations

$./ndpireader-h

Ndpireader-i <file|device> [-F <filter>][-s <duration>][-m<duration>]

[-p<protos>] [-L <loops> [-q][-d][-h][-t][-v <level>]

[-n<threads>] [-w <file>] [-j <file>]

Usage:

-i<file.pcap|device> | Specifies a list of pcap files/files that need to be identified, or needs to be sniffed

Device Interface/interface list (file list or interface list using "," as delimiter)

-F<BPF filter> | Specifying a filter string for a BPF rule

-s<duration> | Maximum sniffing time (obviously only effective when sniffing the interface)

-m<duration> | Pcap File Fragment resolution timeout (obviously only effective when parsing pcap files)

-p<file>.protos | Specify a custom protocol recognition profile (Eg.protos.txt)

-l<num loops> | Specifies the number of times the loop performs sniffing (test only)

-n<num threads> | Specifies the number of threads, which corresponds to the number of device interfaces by default

| fixed use of single thread if incoming Pcap file

-j<file.json> | Specifying a JSON file for the output package contents

-g<id:id...> | Specify thread-cpu affinity mapping table

-D | Disable protocol guessing function

-Q | Quiet mode means that information is not printed

-T | parsing GTP Tunneling Protocol

-r | Print ndpi version and git version

-w<path> | Specify output file for test information

-H | Help information

-v<1|2|3> | Further printing of the package details by level, divided into 1, 2,