DPI: Deep Packet Inspection



This tutorial details the different features of T2 concerning Deep Packet Inspection (DPI) T2 implements a wrapper for the well known nDPI being widely used by researchers and technicians. Hence, T2 provides the user with a highly effective selection mechanism based on L7 applications. So producing training and test files for AI experiments is now very easy.


For this tutorial, it is assumed the user has a basic knowledge of Tranalyzer and that the file t2_aliases has been sourced in ~/.bashrc or ~/.bash_aliases as follows (Refer to How to install Tranalyzer for more details):

# $HOME/.bashrc

if [ -f "$T2HOME/scripts/t2_aliases" ]; then
    . "$T2HOME/scripts/t2_aliases"             # Note the leading '.'

Make sure to replace $T2HOME with the actual path, e.g., $HOME/tranalyzer2-0.9.2):


  • LGPL Crypto library:

    Ubuntu sudo apt-get install libgcrypt20-dev
    Arch sudo pacman -S libgcrypt
    Gentoo sudo emerge libgcrypt
    openSUSE sudo zypper install libgcrypt-devel
    Red Hat/Fedora sudo dnf install libgcrypt-devel or sudo yum install libgcrypt-devel
    macOS brew install libgcrypt


First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the following plugins:

t2build tranalyzer2 basicFlow tcpStates portClassifier nDPI txtSink


If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The anonymized sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap.

Please save it in your ~/data folder.

Now you are all set for T2 flow based nDPI experiments.

Flow and packet based nDPI

For network admins or researchers the L7 type of the traffic is great interest. So to select flows with this feature makes it very easy to weed out (un)interesting traffic, reduce the amount of flows or label flows for later AI training and testing. For the latter the nDPI plugin supplies beside the human readable also a numerical output.

To begin let us look into the directory.



autogen.sh  clean.sh  configure.ac  COPYING  default.config  doc  Makefile.am  meson.build  new_ndpi_prepatch.sh  prototex  README  src  t2plconf  tests

Important to note is the new_ndpi_prepatch.sh script, which fetches the newest version of nDPI. Please refer to the documentation under the doc folder. Now let us look into the src directory

ls src/

Makefile.am  nDPI  nDPI.c  nDPI.h

Besides the nDPI plugin files there is the nDPI/ folder with all the C code and libraries from the open source. Open the nDPI.h file to look at the config.

vi src/nDPI.h

/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define NDPI_OUTPUT_NUM    0 // Output a numerical classification
#define NDPI_OUTPUT_STR    1 // Output a textual classification
#define NDPI_OUTPUT_STATS  1 // Output nDPI protocol distribution in a separate file
#define NDPI_GUESS_UNKNOWN 1 // Try guessing protocol if not sure on flow terminate

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

/*          No env / runtime configuration flags available for nDPI           */

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */

We leave the numerical classification off, which is useful for machine learning, as we like to compare nDPI to the L4 ports meaning provided by portClassifier. But if you like you can switch it on. If nDPI is not sure about the classification T2 helps a bit on flow terminate. This feature is enabled by default. If you changed the config, you need to rebuild nDPI, otherwise you can run T2 right away:

t2 -s -r ~/data/faf-exercise.pcap -w ~/results

Tranalyzer 0.9.1 (Anteater), Cobra. PID: 22346, SID: 666
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: portClassifier, 0.9.1
    03: nDPI, 0.9.1
    04: tcpStates, 0.9.1
    05: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/faf-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1258544215.037210000 sec (Wed 18 Nov 2009 11:36:55 GMT)
Dump stop : 1258594491.683288000 sec (Thu 19 Nov 2009 01:34:51 GMT)
Total dump duration: 50276.646078000 sec (13h 57m 56s)
Finished processing. Elapsed time: 0.146227673 sec
Finished unloading flow memory. Time: 0.146245162 sec
Percentage completed: 100.00%
Number of processed packets: 5902 (5.90 K)
Number of processed bytes: 4993414 (4.99 M)
Number of raw bytes: 4993414 (4.99 M)
Number of pcap bytes: 5087870 (5.09 M)
Number of IPv4 packets: 5902 (5.90 K) [100.00%]
Number of A packets: 1986 (1.99 K) [33.65%]
Number of B packets: 3916 (3.92 K) [66.35%]
Number of A bytes: 209315 (209.31 K) [4.19%]
Number of B bytes: 4784099 (4.78 M) [95.81%]
<A packet load>: 105.40
<B packet load>: 1221.68 (1.22 K)
nDPI: Number of flows classified: 72 [100.00%]
tcpStates: Aggregated tcpStatesAFlags=0x4a
Headers count: min: 3, max: 3, avg: 3.00
Number of TCP packets: 5902 (5.90 K) [100.00%]
Number of TCP bytes: 4993414 (4.99 M) [100.00%]
Number of processed      flows: 72
Number of processed IPv4 flows: 72 [100.00%]
Number of processed A    flows: 36 [50.00%]
Number of processed B    flows: 36 [50.00%]
Number of request        flows: 36 [50.00%]
Number of reply          flows: 36 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 81.97
Number of processed A   packets/A   flows: 55.17
Number of processed   B packets/  B flows: 108.78
Number of processed total packets/s: 0.12
Number of processed A+B   packets/s: 0.12
Number of processed A     packets/s: 0.04
Number of processed   B   packets/s: 0.08
<Number of processed flows/s>: 0.00
<Bandwidth>: 792 b/s
<Raw bandwidth>: 795 b/s
Max number of flows in memory: 18 [0.01%]
Memory usage: 0.05 GB [0.07%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

Open the flow file in your results folder. The end report states that nDPI was able to classify all flows. So let’s look into the flow file.

tcol ~/data/faf-exercise_flow.txt

%dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP           srcIPCC  srcIPOrg                       srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  dstPortClassN  dstPortClass  nDPIclass  tcpStatesAFlags
A     1        0x0400000000004000  1258544215.037210000  1258544215.372742000  0.335532000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1258    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     1        0x0400000000004001  1258544215.202900000  1258544215.537951000  0.335051000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1258     6        80             http          "HTTP"     0x00
A     2        0x0400000000004000  1258544216.385370000  1258544216.723144000  0.337774000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1259    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     2        0x0400000000004001  1258544216.551313000  1258544216.888595000  0.337282000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1259     6        80             http          "HTTP"     0x00
A     3        0x0400000000004000  1258544216.908284000  1258544217.008468000  0.100184000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1260  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     3        0x0400000000004001  1258544216.915576000  1258544217.008019000  0.092443000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1260     6        80             http          "HTTP"     0x00
A     4        0x0400000000004000  1258544217.003718000  1258544217.348506000  0.344788000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1261    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     4        0x0400000000004001  1258544217.169421000  1258544217.513942000  0.344521000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1261     6        80             http          "HTTP"     0x00
A     5        0x0400000000004000  1258544217.349751000  1258544217.413719000  0.063968000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1262  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     5        0x0400000000004001  1258544217.357036000  1258544217.413505000  0.056469000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1262     6        80             http          "HTTP"     0x00
A     6        0x0400000000004000  1258544217.408963000  1258544217.754495000  0.345532000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1263    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     6        0x0400000000004001  1258544217.574652000  1258544217.919686000  0.345034000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1263     6        80             http          "HTTP"     0x00
A     7        0x0400000000004000  1258544217.755746000  1258544217.791475000  0.035729000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1264  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     7        0x0400000000004001  1258544217.763049000  1258544217.791016000  0.027967000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1264     6        80             http          "HTTP"     0x00
A     8        0x0400000000004000  1258544217.786474000  1258544218.129260000  0.342786000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1265    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     8        0x0400000000004001  1258544217.952162000  1258544218.294696000  0.342534000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1265     6        80             http          "HTTP"     0x00
A     9        0x0400000000004000  1258544218.130258000  1258544218.166240000  0.035982000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1266  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     9        0x0400000000004001  1258544218.137543000  1258544218.165782000  0.028239000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1266     6        80             http          "HTTP"     0x00
A     11       0x0400000000004000  1258562478.204828000  1258562509.633367000  31.428539000  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1384   us       "Mozilla"                      80       6        80             http          "HTTP"     0x00
B     11       0x0400000000004001  1258562478.266384000  1258562509.653978000  31.387594000  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800    us       "Mozilla"                      80   07       "Private network"              1384     6        80             http          "HTTP"     0x00
A     10       0x0400000000004000  1258562467.749142000  1258562509.633370000  41.884228000  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1379   us       "Mozilla"                      80       6        80             http          "HTTP"     0x00
B     10       0x0400000000004001  1258562467.754689000  1258562509.653962000  41.899273000  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800    us       "Mozilla"                      80   07       "Private network"              1379     6        80             http          "HTTP"     0x00
A     12       0x0400000000004000  1258563573.941668000  1258563576.594009000  2.652341000   1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1397     07       "Private network"              25       6        25             smtp          "SMTP"     0x00
B     12       0x0400000000004001  1258563573.941709000  1258563576.594045000  2.652336000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800      07       "Private network"              25   07       "Private network"              1397     6        25             smtp          "SMTP"     0x08

Same for the packet file:

tcol ~/data/faf-exercise_flow.txt

%dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP           srcIPCC  srcIPOrg                       srcPort  dstIP           dstIPCC  dstIPOrg                       dstPort  l4Proto  dstPortClassN  dstPortClass  nDPIclass  tcpStatesAFlags
A     1        0x0400000000004000  1258544215.037210000  1258544215.372742000  0.335532000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1258    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     1        0x0400000000004001  1258544215.202900000  1258544215.537951000  0.335051000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1258     6        80             http          "HTTP"     0x00
A     2        0x0400000000004000  1258544216.385370000  1258544216.723144000  0.337774000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1259    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     2        0x0400000000004001  1258544216.551313000  1258544216.888595000  0.337282000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1259     6        80             http          "HTTP"     0x00
A     3        0x0400000000004000  1258544216.908284000  1258544217.008468000  0.100184000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1260  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     3        0x0400000000004001  1258544216.915576000  1258544217.008019000  0.092443000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1260     6        80             http          "HTTP"     0x00
A     4        0x0400000000004000  1258544217.003718000  1258544217.348506000  0.344788000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1261    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     4        0x0400000000004001  1258544217.169421000  1258544217.513942000  0.344521000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1261     6        80             http          "HTTP"     0x00
A     5        0x0400000000004000  1258544217.349751000  1258544217.413719000  0.063968000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1262  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     5        0x0400000000004001  1258544217.357036000  1258544217.413505000  0.056469000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1262     6        80             http          "HTTP"     0x00
A     6        0x0400000000004000  1258544217.408963000  1258544217.754495000  0.345532000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1263    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     6        0x0400000000004001  1258544217.574652000  1258544217.919686000  0.345034000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1263     6        80             http          "HTTP"     0x00
A     7        0x0400000000004000  1258544217.755746000  1258544217.791475000  0.035729000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1264  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     7        0x0400000000004001  1258544217.763049000  1258544217.791016000  0.027967000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1264     6        80             http          "HTTP"     0x00
A     8        0x0400000000004000  1258544217.786474000  1258544218.129260000  0.342786000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1265    gb       "Akamai Technologies"          80       6        80             http          "HTTP"     0x00
B     8        0x0400000000004001  1258544217.952162000  1258544218.294696000  0.342534000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800     gb       "Akamai Technologies"          80   07       "Private network"              1265     6        80             http          "HTTP"     0x00
A     9        0x0400000000004000  1258544218.130258000  1258544218.166240000  0.035982000   1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800    07       "Private network"              1266  us       "California State University"  80       6        80             http          "HTTP"     0x00
B     9        0x0400000000004001  1258544218.137543000  1258544218.165782000  0.028239000   1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800   us       "California State University"  80   07       "Private network"              1266     6        80             http          "HTTP"     0x00

If you scroll to the right you will notice the nDPIclass output classifying the traffic. For this simple traffic type most of the ports match actually the meaning except for the FTP-Data flow. As NDPI_OUTPUT_STATS is enabled nDPI supplies a separate traffic type statistics file shown below.

tcol ~/results/faf-exercise_nDPI.txt

# Protocol ID                         Packets                           Bytes  Description
  1                              22 [  0.37%]                  2595 [  0.05%]  FTP_CONTROL
  3                             894 [ 15.15%]                148980 [  2.98%]  SMTP
  7                             742 [ 12.57%]                608762 [ 12.19%]  HTTP
175                            4615 [ 78.19%]               4537458 [ 90.87%]  FTP_DATA

The file can be sorted and manipulated with the protStat script.

To sort the file by packets, run:

protStat ~/results/faf-exercise_nDPI.txt

Protocol ID	                       Packets	                         Bytes	Description
175	                          4615 [ 78.19%]	                       4537458 [ 90.87%]	FTP_DATA
  3	                           894 [ 15.15%]	                        148980 [  2.98%]	SMTP
  7	                           742 [ 12.57%]	                        608762 [ 12.19%]	HTTP
  1	                            22 [  0.37%]	                          2595 [  0.05%]	FTP_CONTROL

And to sort it by bytes, run it with the -b option as follows:

protStat -b ~/results/faf-exercise_nDPI.txt | tcol

Protocol ID                         Packets                                     Bytes            Description
175                                    4615 [ 78.19%]                         4537458 [ 90.87%]  FTP_DATA
  7                                     742 [ 12.57%]                          608762 [ 12.19%]  HTTP
  3                                     894 [ 15.15%]                          148980 [  2.98%]  SMTP
  1                                      22 [  0.37%]                            2595 [  0.05%]  FTP_CONTROL

Now run t2 on the other pcaps or your own ones and see how nDPI performs. It still has its problems with encryption, as expected.


If you changed the configuration of the plugin, do not forget to reset it for the following tutorials:

t2conf --reset nDPI && t2build -R

Have fun!