vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-29 07:29:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
5656 commits 9 branches 12 tags 263 MiB
Commit graph

252 commits

Author SHA1 Message Date
Toni Uhlig
285496d0b9 Add (generic) MsgPack protocol dissector. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-12-08 17:50:20 +01:00
Toni
aa3241e17b
Add (generic) JSON protocol dissector. (#2492) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-12-06 20:15:19 +01:00
Ivan Nardi
b762509177
S7Comm: follow-up to complete monitoring feature (#3045) 2025-11-28 18:11:24 +01:00
Ivan Nardi
b2357c29c3
Build system: Standardize and improve clean/distclean targets (#3039) 
This commit improves the nDPI build system by standardizing cleanup
targets, improving portability, and ensuring complete removal of
generated files during `make distclean`.

Changes:

1. Standardize clean targets (replace /bin/rm with portable $(RM))

2. Add distclean-local targets for complete cleanup

3. Add missing clean/distclean targets

4. Remove obsolete commented-out curl detection code

5. fuzz/Makefile.am: Fix out-of-tree build compatibility by replacing hardcoded
   relative paths (../example/fuzz_*.o) with proper $(top_builddir) variables.
   Add distclean-local target.
 2025-11-24 18:42:03 +01:00
Ivan Nardi
be9473f7b4 Update documentation 
[skip ci]
 2025-11-03 19:55:13 +01:00
Ivan Nardi
e7bba509fb
Follow-up of d69446893 (#2998) 
Update the documentation.
We can't return public id on `ndpi_guess_host_protocol_id()` because we
use that value internally:
```
src/lib/ndpi_main.c:  flow->guessed_protocol_id_by_ip = ndpi_guess_host_protocol_id(ndpi_str, flow);
```
 2025-10-19 12:38:51 +02:00
Luca Deri
d69446893d Added NDPI_MISMATCHING_PROTOCOL_WITH_IP flow risk 
Fixed host protocol matching
Added NDPI_PROTOCOL_AKAMAI protocol
 2025-10-17 23:48:44 +02:00
Ivan Nardi
8d68dc66dc
doc: Complete and enhance protocols documentation (#2984) 
This commit significantly improves the protocols.rst documentation by:

1. Adding 41 missing protocol entries (100% coverage achieved):
   - Popular services: Discord, Slack, Facebook, Twitter, YouTube,
     Dropbox, Gmail, Google Maps, LinkedIn, SoundCloud
   - Cloud & storage: Google Drive, Microsoft 365, OneDrive,
     Cloudflare, Windows Update
   - Developer tools: Git, Pastebin
   - IoT & Industrial: MQTT, SOMEIP, CIP, HART-IP
   - Financial: FIX protocol, DRDA
   - VPN & Security: PPTP, Teredo, Hotspot Shield, OpenDNS
   - Gaming: PlayStation, IMO, App/Play Store
   - Specialized: RX, EdgeCast, Tesla Services, and more

2. Enhancing existing protocol descriptions:
   - MS_RPCH: Added Exchange/Outlook context
   - RESP: Clarified Redis protocol details
   - S7COMM: Expanded industrial automation context
   - Oracle: Added enterprise RDBMS information
   - RakNet: Explained game networking middleware
   - GTP-U: Added mobile network context (3G/4G/5G)
   - HSRP: Explained Cisco redundancy protocol
   - PGM: Detailed reliable multicast capabilities
   - And several others with improved technical descriptions

3. Adding comprehensive reference links:
   - Official websites and documentation
   - RFC specifications for standardized protocols
   - API documentation for developer services
   - Technical specifications from standards bodies
     (OASIS, AUTOSAR, 3GPP, ODVA, etc.)

The documentation now provides 100% coverage of all 466 protocols
defined in ndpi_protocol_ids.h, with 98% having reference links.
Each entry now includes better technical context to help users
understand protocol purpose and usage.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
 2025-10-14 15:52:28 +02:00
Ivan Nardi
42776e19f6 doc: fix table format 
Close #2990
 2025-10-13 17:01:43 +02:00
Ivan Nardi
d06291d125
Add detection of ESPN traffic (#2980) 2025-10-05 21:03:53 +02:00
Ivan Nardi
113170cca4
New protocols for Amazon/AWS sub-classification (#2975) 
Add:
* Cognito
* API Gateway
* Kinesis
* EC2
* EMR
* S3
* Cloudfront
* DynamoDB

Keep `NDPI_PROTOCOL_AMAZON_AWS` for generic AWS traffic
 2025-10-02 11:48:25 +02:00
kalinda
e1c0d8ba64
Add Matter protocol dissector (#2957) 
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
 2025-09-23 15:20:48 +02:00
Ivan Nardi
ddd277fc44
HTTP: add further configuration to enable/disable metadata extraction (#2972) 
Rename existing configuration knobs, to better separate metadata from
requests, from metadata from responses
 2025-09-23 15:11:25 +02:00
Toni
6f05ddbcc4
Add Samsung SDP protocol dissector (#2966) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-09-15 08:40:17 +02:00
Toni
6eb9249f01
Add TriStation dissector (#2964) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-09-11 16:20:55 +02:00
Ivan Nardi
7da2ab38cd doc: fix some typos 
[skip ci]
 2025-08-08 21:23:10 +02:00
Toni
470d0d6323
Add Mudfish protocol dissector (#2932) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-08-06 21:07:27 +02:00
Ivan Nardi
b7cb6cf408
Follow-up of 8e1b17215: NDPI_UNRESOLVED_HOSTNAME (#2933) 
Add fuzzing, documentation and unit tests
 2025-08-05 11:32:29 +02:00
Luca
4ec97c5470 Typo 2025-08-04 22:46:51 +02:00
Luca
8e1b17215d Implemented NDPI_UNRESOLVED_HOSTNAME flow risk for detecting flows (TLS/QUIC/HTTP) whose hostname 
was not previously resolved via DNS.

Added new API calls
-  bool ndpi_cache_hostname_ip(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t *ip_addr, char *hostname);
-  bool ndpi_cache_find_hostname_ip(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t *ip_addr, char *hostname);
-  void ndpi_cache_hostname_ip_swap(struct ndpi_detection_module_struct *ndpi_struct);

Usage example:
- ./example/ndpiReader --cfg hostname_dns_check,1 -i tests/pcap/netflix.pcap
 2025-08-04 18:59:52 +02:00
Luca Deri
80464fe719 Added sphinxcontrib.jquery 2025-07-23 17:23:56 +02:00
Luca Deri
b5a5375dc4 Fixed minor glitches 2025-07-08 12:24:24 +02:00
Luca Deri
f7d1eca35e Updated configuration 2025-07-08 12:11:47 +02:00
kalinda
9efd3cfb33
Add Blacknut ,Boosteroid and Rumble protocol(SNI detection WIP) (#2907) 
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
 2025-07-03 21:41:17 +02:00
Toni
a913e914e5
Added EasyWeather protocol dissector (#2912) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-07-03 12:28:48 +02:00
Ivan Nardi
978ca1ba1a
New API to enable/disable protocols. Removed NDPI_LAST_IMPLEMENTED_PROTOCOL (#2894) 
Change the API to enable/disable protocols: you can set that via the
standard `ndpi_set_config()` function, as every configuration
parameters. By default, all protocols are enabled.

Split the (local) context initialization into two phases:
* `ndpi_init_detection_module()`: generic part. It does not depend on the
configuration and on the protocols being enabled or not. It also
calculates the real number of internal protocols
* `ndpi_finalize_initialization()`: apply the configuration. All the
initialization stuff that depend on protocols being enabled or not
must be put here

This is the last step to have the protocols number fully calculated at
runtime

Remove a (now) useless fuzzer.

Important API changes:
* remove `NDPI_LAST_IMPLEMENTED_PROTOCOL` define
* remove `ndpi_get_num_internal_protocols()`. To get the number of
configured protocols (internal and custom) you must use
`ndpi_get_num_protocols()` after having called `ndpi_finalize_initialization()`
 2025-06-23 11:24:18 +02:00
Ivan Nardi
60af824437 Fix protocol documentation 
[no ci]
 2025-06-18 08:37:37 +02:00
Ivan Nardi
c4dabafb0e
A new attempt to improve public documentation (#2881) 2025-06-11 20:47:32 +02:00
Vladimir Gavrilov
aba60ac354
Add GLBP dissector (#2879) 
GLBP is a Cisco proprietary first-hop redundancy protocol similar to HSRP and VRRP, but with additional load balancing capabilities.
 2025-06-10 15:26:10 +02:00
Vladimir Gavrilov
40fe26b2f1
Add Hamachi protocol detection support (#2860) 2025-06-02 14:00:31 +02:00
Ivan Nardi
8df79a7354
Follow-up of c1d372860 (TCP fingerprint format) (#2850) 2025-05-26 12:32:47 +02:00
Vladimir Gavrilov
74cb03eb4c
Add MELSEC protocol support (#2846) 2025-05-23 11:13:52 +02:00
Ivan Nardi
2c9ed8faaa
ospf, ipsec: use different ids for protocols at layer3 (#2838) 
Don't use the same id for the same protocol identified via L3 info or
via standard TCP/UDP detection (example: ospf ip_proto 0x59 or TCP port
2604)

Before:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(dev)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
 79       79 IPSec                  UDP        X        Safe         VPN                500,4500                        500
 85       85 OSPF                              X        Acceptable   Network            -                               2604
```

After:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(ospf-ipsec)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
 79       79 IPSec                  UDP        X        Safe         VPN                500,4500                        500
 85       85 IP_OSPF                           X        Acceptable   Network            -                               -
116      116 AH                                X        Safe         VPN                -                               -
117      117 ESP                               X        Safe         VPN                -                               -
184      184 OSPF                   TCP        X        Safe         Network            -                               2604
```
 2025-05-21 16:43:50 +02:00
Vladimir Gavrilov
0a3c8f2464
Drop GW1 support and add basic GW2 detection (#2836) 2025-05-21 11:45:31 +02:00
Ivan Nardi
896c9ffef1
Remove ProtonVPN address lists (#2831) 
Proton doesn't provide anymore the list of egress and ingress addresses.
Remove the (stale) lists and the relative configuration parameters.

See: https://www.reddit.com/r/ProtonVPN/comments/1k3lrl5/great_the_httpsapiprotonvpnchvpnlogicals_api_has/
See also 470a479eb
 2025-05-20 17:25:09 +02:00
Vladimir Gavrilov
4ac0b4383d
Update doc/protocols.rst with missing protocols and fix formatting (#2820) 2025-05-18 19:42:30 +02:00
0xA50C1A1
edcf3579f2 Remove Half-Life 2 support; improve Source Engine protocol detection 2025-05-16 21:58:48 +02:00
0xA50C1A1
b49b7eb45f Rename NDPI_PROTOCOL_UBUNTUONE protocol ID to NDPI_PROTOCOL_CANONICAL 2025-05-15 21:43:34 +02:00
0xA50C1A1
af4af11afc Rename Lotus Notes to HCL Notes for product consistency 2025-05-15 21:43:34 +02:00
funesca
a970998f51
added raw tcp fingerprint to json (#2812) 
* added raw tcp fingerprint to json

* removed unnecessary change

* fixed key for json

* added configuration option for raw tcp fingerprint

* fixed typos
 2025-05-15 08:28:35 +02:00
Vladimir Gavrilov
4b47f7c669
Add kick.com support (#2813) 2025-05-14 21:06:12 +02:00
Vladimir Gavrilov
b3be9f16dc
Add Rockstar Games detection (#2805) 2025-04-28 19:54:00 +02:00
Vladimir Gavrilov
6312e4c9aa
Add Microsoft Delivery Optimization protocol (#2799) 2025-04-28 13:40:21 +02:00
Ivan Nardi
9283ebc1c9
Add a new specific ID for generic Ubiquity traffic (#2796) 2025-04-16 14:36:56 +02:00
Ivan Nardi
a806fe82b8 doc: add missing protocol 2025-04-16 13:12:22 +02:00
Ivan Nardi
3e2d69b92a Follow-up of latest Signal call change (see: 4d41588a7) 2025-04-05 14:22:05 +02:00
Ivan Nardi
29eb89a88f
Improved configuration to enable/disable export of flow risk info (#2780) 
Follow-up of f568313363: now the
configuration is for flow-risk, not global
 2025-03-25 21:35:01 +01:00
Ivan Nardi
56ac5bf48b
Rework the old Starcraft code to identify traffic from generic Blizzard games (#2776) 
Remove `NDPI_PROTOCOL_STARCRAFT` and add a generic `NDPI_PROTOCOL_BLIZZARD`.
 2025-03-25 17:16:10 +01:00
Ivan Nardi
b1edfdbf5c
Remove NDPI_FULLY_ENCRYPTED flow risk (#2779) 
Use `NDPI_OBFUSCATED_TRAFFIC` instead; this way, all the obfuscated
traffic is identified via `NDPI_OBFUSCATED_TRAFFIC` flow risk.

Disable fully-encryption detection by default, like all the obfuscation
heuristics.
 2025-03-25 17:00:03 +01:00
Ivan Nardi
a8ddc4d368
Remove NDPI_TLS_SUSPICIOUS_ESNI_USAGE flow risk (#2778) 
That flow risk was introduced in 79b89d2866
but we can now use the generic `NDPI_TLS_SUSPICIOUS_EXTENSION` instead:
ESNI is quite suspicious nowadays in itself (i.e. even without SNI).
Note that ESNI support has been removed in cae9fb9989
 2025-03-25 16:59:32 +01:00