nDPI安装 - 图1

    1. apt-get install libpcap-dev build-essential
    4. git clone https://github.com/ntop/nDPI.git
    5. cd nDPI
    6. ./autogen.sh
    7. ./configure && make && make install

    nDPI安装 - 图2

    1. cd nDPI/example
    2. ./ndpiReader --help

    nDPI安装 - 图3

    1. $ ./ndpiReader -i ens3 -s 30 -v 2
    4. -----------------------------------------------------------
    5. * NOTE: This is demo app to show *some* nDPI features.
    6. * In this demo we have implemented only some basic features
    7. * just to show you what you can do with the library. Feel
    8. * free to extend it and send us the patches for inclusion
    9. ------------------------------------------------------------
    12. Using nDPI (3.4.0) [1 thread(s)]
    13. Capturing live traffic from device ens3...
    14. Capturing traffic up to 30 seconds
    15. Running thread 0...
    16. Error while reading pcap file: ''
    19. nDPI Memory statistics:
    20.     nDPI Memory (once):      223.89 KB
    21.     Flow Memory (per flow):  2.21 KB
    22.     Actual Memory:           3.82 MB
    23.     Peak Memory:             3.82 MB
    24.     Setup Time:              57 msec
    25.     Packet Processing Time:  30196 msec
    28. Traffic statistics:
    29.     Ethernet bytes:        36423         (includes ethernet CRC/IFC/trailer)
    30.     Discarded bytes:       350
    31.     IP packets:            223           of 230 packets total
    32.     IP bytes:              31071         (avg pkt size 135 bytes)
    33.     Unique flows:          13
    34.     TCP Packets:           199
    35.     UDP Packets:           18
    36.     VLAN Packets:          0
    37.     MPLS Packets:          0
    38.     PPPoE Packets:         0
    39.     Fragmented Packets:    0
    40.     Max Packet size:       1480
    41.     Packet Len < 64:       100
    42.     Packet Len 64-128:     104
    43.     Packet Len 128-256:    10
    44.     Packet Len 256-1024:   3
    45.     Packet Len 1024-1500:  6
    46.     Packet Len > 1500:     0
    47.     nDPI throughput:       7.38 pps / 9.42 Kb/sec
    48.     Analysis begin:        05/Jun/2021 00:05:20
    49.     Analysis end:          05/Jun/2021 00:05:49
    50.     Traffic throughput:    7.38 pps / 9.42 Kb/sec
    51.     Traffic duration:      30.197 sec
    52.     Guessed flow protos:   0
    57. Detected protocols:
    58.     DNS                  packets: 18            bytes: 1928          flows: 8
    59.     HTTP                 packets: 11            bytes: 3506          flows: 1
    60.     ICMP                 packets: 6             bytes: 588           flows: 1
    61.     TLS                  packets: 21            bytes: 6207          flows: 1
    62.     SSH                  packets: 167           bytes: 18842         flows: 2
    67. Protocol statistics:
    68.     Safe                          6207 bytes
    69.     Acceptable                   24864 bytes
    72. JA3 Host Stats:
    73.          IP Address                       # JA3C
    74.     1     192.168.1.46                  1
    76.     1    TCP 172.16.1.138:55480 <-> 192.168.1.46:22 [proto: 92/SSH][cat: RemoteAccess/12][99 pkts/8306 bytes <-> 54 pkts/9336 bytes][Goodput ratio: 21/62][18.54 sec][bytes ratio: -0.058 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 33/0 201/362 1559/1612 283/355][Pkt Len c2s/s2c min/avg/max/stddev: 66/102 84/173 110/1389 20/219][Plen Bins: 0,68,24,4,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0]
    77.     2    TCP 192.168.1.46:59044 <-> 103.235.46.39:443 [proto: 91/TLS][cat: Web/5][11 pkts/1333 bytes <-> 10 pkts/4874 bytes][Goodput ratio: 48/88][1.06 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 85/73 272/253 111/99][Pkt Len c2s/s2c min/avg/max/stddev: 54/56 121/487 571/1514 146/568][TLSv1.2][Client: www.baidu.com][JA3C: 456523fc94726331a4d5a2e1d40b2cd7][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,0,33,0,0,0,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0]
    78.     3    TCP 192.168.1.46:41002 <-> 103.235.46.39:80 [proto: 7/HTTP][cat: Web/5][7 pkts/487 bytes <-> 4 pkts/3019 bytes][Goodput ratio: 16/92][1.04 sec][Host: www.baidu.com][bytes ratio: -0.722 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/199 152/236 288/274 128/38][Pkt Len c2s/s2c min/avg/max/stddev: 54/56 70/755 131/1514 26/692][URL: www.baidu.com/][StatusCode: 200][Content-Type: text/html][User-Agent: curl/7.58.0][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,33,0,0]
    79.     4    TCP 192.168.1.46:22 <-> 172.16.1.138:54769 [proto: 92/SSH][cat: RemoteAccess/12][2 pkts/408 bytes <-> 12 pkts/792 bytes][Goodput ratio: 67/0][0.22 sec][bytes ratio: -0.320 (Download)][IAT c2s/s2c min/avg/max/stddev: 40/0 40/17 40/83 0/28][Pkt Len c2s/s2c min/avg/max/stddev: 142/66 204/66 266/66 62/0][Plen Bins: 0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    80.     5    ICMP 192.168.1.46:0 <-> 103.235.46.39:0 [proto: 81/ICMP][cat: Network/14][3 pkts/294 bytes <-> 3 pkts/294 bytes][Goodput ratio: 57/57][2.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1000/987 1000/1002 1000/1018 0/16][Pkt Len c2s/s2c min/avg/max/stddev: 98/98 98/98 98/98 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    81.     6    UDP 192.168.1.46:55773 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][2 pkts/183 bytes <-> 2 pkts/271 bytes][Goodput ratio: 54/69][0.09 sec][Host: 39.46.235.103.in-addr.arpa][::][PLAIN TEXT (record)][Plen Bins: 0,75,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    82.     7    UDP 192.168.1.46:48654 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/87 bytes <-> 1 pkts/176 bytes][Goodput ratio: 51/76][0.09 sec][Host: www.a.shifen.com][::][PLAIN TEXT (shifen)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    83.     8    UDP 192.168.1.46:52029 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/87 bytes <-> 1 pkts/176 bytes][Goodput ratio: 51/76][0.09 sec][Host: www.a.shifen.com][::][PLAIN TEXT (shifen)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    84.     9    UDP 192.168.1.46:32850 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/87 bytes <-> 1 pkts/129 bytes][Goodput ratio: 51/67][0.05 sec][Host: www.a.shifen.com][103.235.46.39][PLAIN TEXT (shifen)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    85.     10    UDP 192.168.1.46:50870 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/87 bytes <-> 1 pkts/129 bytes][Goodput ratio: 51/67][0.09 sec][Host: www.a.shifen.com][103.235.46.39][PLAIN TEXT (shifen)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    86.     11    UDP 192.168.1.46:33829 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/86 bytes <-> 1 pkts/86 bytes][Goodput ratio: 51/51][0.00 sec][Host: www.wshifen.com][::][PLAIN TEXT (wshifen)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    87.     12    UDP 192.168.1.46:51412 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/86 bytes <-> 1 pkts/86 bytes][Goodput ratio: 51/51][0.00 sec][Host: www.wshifen.com][::][PLAIN TEXT (wshifen)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    88.     13    UDP 192.168.1.46:59250 <-> 192.168.1.2:53 [proto: 5/DNS][cat: Network/14][1 pkts/86 bytes <-> 1 pkts/86 bytes][Goodput ratio: 51/51][< 1 sec][Host: www.wshifen.com][::][PLAIN TEXT (wshifen)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

    nDPI安装 - 图4

    1. $ cat nDPI/example/protos.txt
    4. #  Ports
    5. #  Format:
    6. #  <tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto>
    7. tcp:81,tcp:8181@HTTP
    8. udp:5061-5062@SIP
    9. tcp:860,udp:860,tcp:3260,udp:3260@iSCSI
    10. tcp:3000@ntop
    13. #  Subprotocols
    14. #  Format:
    15. #  host:"<value>",host:"<value>",.....@<subproto>
    16. host:"disneyplus.com"host:"cdn.registerdisney.go.com",host:"disney-
    17. portal.my.onetrust.com",host:"disneyplus.bn5x.net",host:"disney-
    18. plus.net"@DisneyPlus
    19. host:"*.lvlt.dash.us.aiv-cdn.net.c.footprint.net"@AmazonVideo
    20. host:"api-global.netflix.com"@Netflix
    23. #  IP based Subprotocols
    24. #  Format:
    25. #  ip:<value>,ip:<value>,.....@<subproto>
    26. #
    27. # NOTES
    28. # 1) the port of a custom protocol is optional but if
    29. #    specified it must match the port.
    30. # 2) you can specify up to 1 port per IP address
    31. # 3) if you specify a custom ip:<IP>:<PORT> rule,
    32. #    even if the <PORT> doesn't match the <IP>
    33. #    (if best match during the search) will
    34. #    have priority as best match. Example if
    35. #    you specify a <Google IP>:<port 9999> and
    36. #    in your traffic have match for such IP but
    37. #    with a port other than 9999, the IP address
    38. #    begin a best match will hve preference over
    39. #    <Google IP> so this protocol will not be
    40. #    detected as <L7 proto>.Google but only
    41. #    as <L7 proto>
    42. #
    43. ip:213.75.170.11/32:443@CustomProtocol
    44. ip:8.248.73.247:443@AmazonPrime
    45. ip:54.80.47.130@AmazonPrime

    nDPI安装 - 图5