Deep Packet Inspection

Identify applications and categories

Libprotoident

NETCAP has support for using libprotoident (v2.0.14), to identify 45 application categories and 500+ applications and protocols!

The full list of supported protocols can be found here:

SupportedProtocolsGitHub

libprotoident is maintained by the WAND group, you can download and install the library here:

GitHub - LibtraceTeam/libprotoident: Network traffic classification library that requires minimal application payloadGitHub

nDPI

Furthermore nDPI (v4.14 Stable) can be used to identify 244+ applications, they are listed here:

HomeGitHub

nDPI is mainted by ntop, and can be downloaded here:

GitHub - ntop/nDPI: Open Source Deep Packet Inspection Software ToolkitGitHub

The results from all heuristic engines (lPI, nDPI and go heuristics) get dedpulicated automatically. Future versions could create a certainity score based on the number of votes from different heuristics.

Audit Records with Applications Field

DPI detected applications are stored in the Applications field, which is available in the following audit records:

Connection: DPI applications detected for bidirectional flows
Service: DPI applications detected for services running on specific IP:Port combinations
DeviceProfile: Aggregated DPI applications seen from/to a specific MAC address
IPProfile: Aggregated DPI applications seen from/to a specific IP address

The Applications field is a repeated string field (array) that contains the names of all detected applications for that audit record.

Platform Support

NETCAPs DPI integration is currently only available on linux and macOS.

PreviousReassembly NextLive Capture

Last updated 9 days ago