vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-02 00:40:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/wireshark
History
Ivan Nardi 7a7e4ee69f
Add a new flow risk NDPI_ANONYMOUS_SUBSCRIBER (#1462) 
The main goal of a DPI engine is usually to determine "what", i.e. which
types of traffic flow on the network.
However the applications using DPI are often interested also in "who",
i.e. which "user/subscriber" generated that traffic.

The association between a flow and a subscriber is usually done via some
kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element
of the flow used to identify the user is the source ip address.

That usually happens for the vast majority of the traffic.

However, depending on the protocols involved and on the position on the net
where the traffic is captured, the source ip address might have been
changed/anonymized. In that case, that address is useless for any
flow-username association.

Example: iCloud Private Relay traffic captured between the exit relay and
the server.
See the picture at page 5 on:
https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

This commit adds new generic flow risk `NDPI_ANONYMOUS_SUBSCRIBER` hinting
that the ip addresses shouldn't be used to identify the user associated
with the flow.
As a first example of this new feature, the entire list of the relay ip
addresses used by Private Relay is added.

A key point to note is that list is NOT used for flow classification
(unlike all the other ip lists present in nDPI) but only for setting this
new flow risk.

TODO: IPv6
2022-02-28 15:25:58 +01:00
..
sharkfest_scripts fixed lua errors in non-iec104 packets (#1209) 2021-06-17 15:35:31 +02:00
tshark README for the tshark class 2021-04-25 11:45:35 +02:00
download-fuzz-traces.sh added shell script to download wireshark fuzzing traces, can be used in combination with ./tests/do.sh 2020-07-02 20:22:58 +02:00
ndpi.lua Add a new flow risk NDPI_ANONYMOUS_SUBSCRIBER (#1462) 2022-02-28 15:25:58 +01:00
README.md Added tshark description 2021-04-25 11:47:19 +02:00

README.md

nDPI Wireshark Plugin

Introduction

nDPI can provide Wireshark protocol dissection to complement internal protocol decoding. In order to do this, the ndpiReader application is used to provide Wireshark nDPI protocol dissection, and a Wireshark plugin interprets nDPI information.

Installation

  • Copy the ndpiReader application (it is located under nDPI/example) to the Extcap path. See Wireshark -> About menu for identifying the "Personal Extcap path" directory. Under MacOS it is usually /Users/username/.wireshark/extcap
  • Copy the ndpi.lua plugin under ~/.local/lib/wireshark/plugins

Usage

At Wireshark startup you will find a new extcap interface named "nDPI interface". Select that interface and specify an interface name (for live capture) or a pcap file path (for reading packets from a pcap file). You can choose a nDPI protocol list from the dropdown menu in case you want Wireshark to dissect only protocols of the specified nDPI application protocol.

During capture the ndpiReader plugin will pass Wireshark the nDPI protocol information adding an ethernet packet trailer that contains nDPI information. The lua plugin interprets this information and it displays it in the Wireshark GUI.

nDPI Packet Filtering

As nDPI is natively integrated into Wireshark, you can filter packets using the usual filtering mechanism. Example use "ndpi.protocol.name==BitTorrent" to filter all BitTorrent traffic.

tshark Lua Class

The tshark directory contains a Lua class for processing packets with tshark