nDPI Protocols List

This page provides the list of the protocols/applications supported by nDPI. For each protocol there is a brief description, some links to further, more detailed information and, optionally, some notes that might be useful when handling such a protocol (from the application/integrator point of view)

Work in progress!

NDPI_PROTOCOL_BFCP

BFCP (Binary Floor Control Protocol) is used for controlling and coordinating real-time data sharing and collaboration during video conferencing sessions.

References: RFC:

NDPI_PROTOCOL_IQIYI

iQIYI is a Chinese online video platform that offers a wide range of original and licensed content including movies, dramas, variety shows, and anime.

References: Main site:

NDPI_PROTOCOL_ADOBE_CONNECT

Adobe Connect is a web conferencing platform that allows users to conduct online meetings, webinars, and virtual classrooms.

References: Main site:

NDPI_PROTOCOL_IRC

IRC (Internet Relay Chat) is a text-based chat system for instant messaging.

References: Wikipiedia: and Some statistics: <https://netsplit.de/networks/top10.php>

NDPI_PROTOCOL_HART_IP

Highway Addressable Remote Transducer over IP

References: Protocol Specs:

NDPI_PROTOCOL_TFTP

TFTP is a very simple protocol used to transfer files. It is from this that its name comes, Trivial File Transfer Protocol or TFTP.

References: RFC1350 and RFC2347 and RFC2349

NDPI_PROTOCOL_MS_RPCH

A Remote Procedure Call protocol over HTTP from Microsoft.

References: Protocol Specs:

NDPI_PROTOCOL_EGD

Ethernet Global Data (EGD) is a communication protocol developed by GE Fanuc Automation for real-time data exchange between automation devices and control systems using standard Ethernet technology. It is widely adopted in industrial environments for its simplicity and reliability in data communication.

References: Wikipedia

Notes:

  • This dissector only works for data packets, not configuration commands.
  • IPv6 is not supported

NDPI_PROTOCOL_RTMP

Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet.

References: Wikipedia

NDPI_PROTOCOL_RESP

Redis Serialization Protocol

References: Protocol Specs:

NDPI_PROTOCOL_COD_MOBILE

Call of Duty: Mobile is a free-to-play shooter game for iOS and Android devices. It has amassed over 650 million downloads worldwide, making it one of the most popular mobile games.

References: Main site:

NDPI_PROTOCOL_GOOGLE_MEET

Google Meet is a video conferencing service from Google.

References: Main site:

NDPI_PROTOCOL_VALVE_SDR

Steam Datagram Relay (SDR) is Valve’s virtual private gaming network. Used in all modern games from Valve, but can also be used by developers via the Steamworks SDK for their games.

References: Main site:

NDPI_PROTOCOL_SRTP

The Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication, integrity, and replay attack protection to the RTP data.

References: RFC3711

Notes:

  • You can think of SRTP simply as the “encrypted” version of RTP, something like HTTPS vs HTTP;
  • It is not usually possible to tell RTP from SRTP. nDPI generally uses the former and it uses the latter only when it is really sure that the media stream has been encrypted.

NDPI_PROTOCOL_OPERA_VPN

Opera VPN is a free VPN included with Opera Browser.

References: Main site

NDPI_PROTOCOL_EPICGAMES

Epic Games is a video game company developing the Unreal Engine and some successful games as Fortnite and Gears of War.

References: Main site and Fortnite

NDPI_PROTOCOL_GEFORCENOW

GeForce Now is the brand used by Nvidia for its cloud gaming service.

References: Main site

NDPI_PROTOCOL_NVIDIA

Generic web traffic from Nvidia sites.

References: Main site

NDPI_PROTOCOL_BITCOIN

Bitcoin is one of the most common crypto currencies.

References: Main site

Notes:

  • Not each crypto exchange is a mining, it could be a normal transaction, sending or receving.
  • Bitcoin network protocol covers the broader set of rules that govern how all nodes in the network communicate and sync with each others blocks and transactions.
  • On the other hand mining protocols are more specific and deal directly with how miners interact with the network and participate in the mining process.

NDPI_PROTOCOL_PROTONVPN

Proton VPN is a VPN service operated by the Swiss company Proton AG, the company behind the email service Proton Mail

References: Main site

NDPI_PROTOCOL_THRIFT

Apache Thrift is a generic data interchange framework that supports a bunch of different languages and platforms.

References: Official site and Github

NDPI_PROTOCOL_ROBLOX

Roblox is an online game platform and game creation system.

References: Main site

Notes:

  • Since Roblox games use a custom version of the RakNet protocol, some Roblox flows might be classified as RakNet.

NDPI_PROTOCOL_SERVICE_LOCATION

The Service Location Protocol is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration.

References: SLPv1 and SLPv2

NDPI_PROTOCOL_MULLVAD

Mullvad is a VPN service operated by Mullvad VPN AB, based in Sweden

References: Main site

NDPI_PROTOCOL_HTTP2

HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web.

References: RFC

Notes:

  • HTTP/2 is almost always encrypted, i.e. transported over TLS.

NDPI_PROTOCOL_HAPROXY

HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers.

References: Main site:

NDPI_PROTOCOL_RMCP

The Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware (BIOS or UEFI) and operating system.

References: Protocol Specs:

NDPI_PROTOCOL_CAN

Controller Area Network (CAN) is used extensively in automotive applications, with in excess of 400 million CAN enabled microcontrollers manufactured each year.

References: Protocol Specs:

NDPI_PROTOCOL_PROTOBUF

Protocol Buffers (Protobuf) is a free and open-source cross-platform data format used to serialize structured data.

References: Encoding:

NDPI_PROTOCOL_ETHEREUM

Ethereum is a decentralized, open-source blockchain with smart contract functionality.

References: Main site

Notes:

  • same as Bitcoin, not each crypto exchange is a mining, it could be a normal transaction, sending or receving or even blockchain exploration.

NDPI_PROTOCOL_TELEGRAM_VOIP

Audio/video calls made using the telegram app.

References: Wikipedia

NDPI_PROTOCOL_SINA_WEIBO

Chinese microblogging (weibo) website.

References: Wikipedia

NDPI_PROTOCOL_PTPV2

IEEE 1588-2008 Precision Time Protocol (PTP) Version 2.

References: Protocol Specs:

NDPI_PROTOCOL_RTPS

Real-Time Publish Subscribe Protocol

References: Protocol Specs:

NDPI_PROTOCOL_OPC_UA

IEC62541 OPC Unified Architecture

References: Protocol Specs:

NDPI_PROTOCOL_S7COMM_PLUS

A proprietary protocol from Siemens used for data exchange between PLCs and access PLC data via SCADA systems. Completely different from classic S7Comm, but also uses TPKT/COTP as a transport.

References: Unofficial description:

NDPI_PROTOCOL_FINS

Factory Interface Network Service (FINS) is a network protocol used by Omron PLCs.

References: Protocol Specs:

NDPI_PROTOCOL_ETHERSIO

Ether-S-I/O is a proprietary protocol used by Saia-Burgess’s PLCs.

References: Wireshark wiki:

NDPI_PROTOCOL_UMAS

UMAS is a proprietary Schneider Electric protocol based on Modbus. It’s used in Modicon M580 and Modicon M340 CPU-based PLCs.

References: Unofficial article:

NDPI_PROTOCOL_BECKHOFF_ADS

Automation Device Specification is the protocol used for interfacing with Beckhoff PLCs via TwinCAT.

References: Protocol Specs:

NDPI_PROTOCOL_ISO9506_1_MMS

The international standard MMS (Manufacturing Message Specification) is an OSI application layer messaging protocol origionally designed for the remote control and monitoring of devices such as Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), Numerical Controllers (NC), or Robot Controllers (RC).

References: Paid Specs:

NDPI_PROTOCOL_IEEE_C37118

IEEE Standard for Synchrophasor Data Transfer for Power Systems

References: Paid Specs:

NDPI_PROTOCOL_ETHERSBUS

Ether-S-Bus is a proprietary protocol used for the communication with and between PLCs manufactured by Saia-Burgess Controls Ltd.

References: Wireshark wiki:

NDPI_PROTOCOL_MONERO

Monero is a private and decentralized cryptocurrency with focus on confidentiality and security.

NDPI_PROTOCOL_DCERPC

DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.

References: Wireshark wiki:

NDPI_PROTOCOL_PROFINET_IO

PROFINET/IO is a field bus protocol based on connectionless DCE/RPC.

References: Protocol Specs:

NDPI_PROTOCOL_HISLIP

High-Speed LAN Instrument Protocol (HiSLIP) is a protocol for remote instrument control of LAN-based test and measurement instruments.

References: Protocol Specs:

NDPI_PROTOCOL_UFTP

Encrypted UDP based FTP with multicast.

References: Protocol Specs:.

NDPI_PROTOCOL_OPENFLOW

OpenFlow protocol is a network protocol closely associated with Software-Defined Networking (SDN).

References: Protocol Specs:

NDPI_PROTOCOL_JSON_RPC

JSON-RPC is a remote procedure call protocol encoded in JSON.

References: Protocol Specs:

NDPI_PROTOCOL_WEBDAV

WebDAV is a set of extensions to the HTTP protocol that allows WebDAV clients to collaboratively edit and manage files on remote Web servers.

References: RFC4918:

Notes:

  • WebDAV is almost always encrypted, i.e. transported over TLS.

NDPI_PROTOCOL_APACHE_KAFKA

Apache Kafka is a distributed event store and stream-processing platform.

References: Official site and Github

NDPI_PROTOCOL_NOMACHINE

NoMachine is a popular proprietary remote desktop software.

References: Main site

NDPI_PROTOCOL_IEC62056

IEC 62056-4-7 DLMS/COSEM is a transport layer for IP networks.

References: Paid Specs:

Notes:

  • Wireshark is not able to recognize this protocol. Some old plugins/code (with some documentation) are available here <https://github.com/bearxiong99/wireshark-dlms> and here <https://github.com/matousp/dlms-analysis/tree/master>.

NDPI_PROTOCOL_HL7

HL7 is a range of global standards for the transfer of clinical and administrative health data between applications.

References: Main site

NDPI_PROTOCOL_CEPH

Ceph is a scalable distributed storage system.

References: Main site

NDPI_PROTOCOL_GOOGLE_CHAT

Google Chat is an instant messaging service from Google, which replaced Hangouts.

References: Main site

NDPI_PROTOCOL_ROUGHTIME

A protocol that aims to achieve rough time synchronization while detecting servers that provide inaccurate time and providing cryptographic proof of their malfeasance.

References: IETF Draft

NDPI_PROTOCOL_PIA

Private Internet Access (PIA) is a popular VPN service from Kape Technologies.

References: Main site

NDPI_PROTOCOL_KCP

KCP - A Fast and Reliable ARQ Protocol. It provides TCP-like stream support with low latency at the cost of bandwidth usage - used by lot’s of Open Source / Third Party applications.

References: Protocol Specs:

NDPI_PROTOCOL_DOTA2

Dota 2 is an extremely popular multiplayer MOBA game from Valve.

References: Main site

NDPI_PROTOCOL_MUMBLE

Mumble is a free, open source, low latency, high quality voice chat application.

References: Main site

NDPI_PROTOCOL_YOJIMBO

Yojimbo (netcode) is a secure connection-based client/server protocol built on top of UDP.

References: Protocol Specs:

NDPI_PROTOCOL_ELECTRONICARTS

Electronic Arts is a leading publisher of games on Console, PC and Mobile.

References: Main site

Notes:

  • Almost all of that traffic is related to their EA Origin game store.

NDPI_PROTOCOL_STOMP

STOMP is a simple interoperable protocol designed for asynchronous message passing between clients via mediating servers. Supported in ActiveMQ and RabbitMQ.

References: Protocol Specs:

NDPI_PROTOCOL_RADMIN

Radmin is remote access software for the Microsoft Windows platform.

References: Main site

NDPI_PROTOCOL_RAFT

Raft is a consensus algorithm and protocol for managing a replicated log.

References: C implementation and Paper

NDPI_PROTOCOL_GEARMAN

Gearman is a network-based job-queuing system that was initially developed by Danga Interactive in order to process large volumes of jobs.

References: Main site

NDPI_PROTOCOL_TENCENTGAMES

A protocol used by various games from Tencent (mostly mobile games).

References: Main site

NDPI_PROTOCOL_GAIJIN

Protocols used in various games from Gaijin Entertainment.

References: Main site

NDPI_PROTOCOL_C1222

ANSI C12.22 (IEEE Std 1703) describe a protocol for transporting ANSI C12.19 table data over networks. It’s mostly used to communicate with electric meters.

References: Paid specs

NDPI_PROTOCOL_HUAWEI

Generic Huawei traffic.

References: Main site

NDPI_PROTOCOL_HUAWEI_CLOUD

Huawei Mobile Cloud.

References: Main site

NDPI_PROTOCOL_DLEP

The Dynamic Link ExchangeProtocol (DLEP) is a radio aware routing (RAR) protocol.

References: RFC

NDPI_PROTOCOL_BFD

Bidirectional Forwarding Detection is a network protocol that is used to detect faults between two routers or switches.

References: RFC

NDPI_PROTOCOL_NETEASE_GAMES

Traffic of various NetEase games.

References: Main site

NDPI_PROTOCOL_PATHOFEXILE

Path of Exile is a free-to-play online Action RPG.

References: Main site

NDPI_PROTOCOL_GOOGLE_CALL

Audio/video calls made by (any) Google applications (i.e Google Meet).

References: Main site:

Notes:

  • nDPI usually uses different protocol ids for the generic application traffic and for its “realtime” traffic (examples: NDPI_PROTOCOL_MEET/NDPI_PROTOCOL_GOOGLE_CALL, NDPI_PROTOCOL_WHATSAPP/NDPI_PROTOCOL_WHATSAPP_CALL, …)

NDPI_PROTOCOL_PFCP

PFCP is a protocol used for communicating between control plane (CP) and user plane (UP) functions in 4G and 5G networks.

References: Protocol Specs:

NDPI_PROTOCOL_FLUTE

File Delivery over Unidirectional Transport.

References: RFC

NDPI_PROTOCOL_LOLWILDRIFT

League of Legends: Wild Rift is a mobile MOBA game.

References: Main site

NDPI_PROTOCOL_TESO

The Elder Scrolls Online is a MMORPG set in the fantasy world of Tamriel.

References: Main site

NDPI_PROTOCOL_LDP

The Label Distribution Protocol (LDP) is a routing protocol used to establish and maintain label-switched paths in a Multiprotocol Label Switching (MPLS) network.

References: RFC

NDPI_PROTOCOL_KNXNET_IP

KNXnet/IP is a building automation protocol that enables the exchange of data and control information over IP networks, extending the KNX standard for home and building automation.

References: Paid Specs:

NDPI_PROTOCOL_BLUESKY

Bluesky, also known as Bluesky Social, is a decentralized microblogging social platform.

References: Main site:

NDPI_PROTOCOL_MASTODON

Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter.

References: Main site:

NDPI_PROTOCOL_THREADS

Threads is an online social media and social networking service operated by Meta Platforms.

References: Main site:

NDPI_PROTOCOL_VIBER_VOIP

Audio/video calls made using the Viber app.

References: Wikipedia

NDPI_PROTOCOL_ZUG

The ZUG protocol is part of the Casper 2.0 consensus model.

References: Main Site and Blog Post

NDPI_PROTOCOL_JRMI

The JRMI protocol is the Java Remote Method Invocation protocol.

References: Oracle site

NDPI_PROTOCOL_RIPE_ATLAS

The RIPE Atlas probe protocol is used for the world’s largest active Internet measurement network.

References: Main Site and Documentation

NDPI_PROTOCOL_HLS

HTTP Live Streaming (HLS) is an adaptive bitrate streaming communications protocol developed by Apple Inc. It allows for the delivery of media content over the internet by breaking the stream into small segments and adjusting the quality of the stream in real time based on the viewer’s network conditions.

References: RFC

NDPI_PROTOCOL_CLICKHOUSE

ClickHouse is an open-source columnar database management system designed for online analytical processing (OLAP) of queries.

References: Main site:

NDPI_PROTOCOL_NANO

Nano (XNO) is a decentralized, open-source cryptocurrency that focuses on delivering fast, fee-less, and eco-friendly transactions through its unique block-lattice structure.

References: Main site:

NDPI_PROTOCOL_OPENWIRE

OpenWire is a wire protocol used by Apache ActiveMQ for communication between clients and brokers, providing an efficient and flexible messaging framework. While it’s not the most popular choice compared to other protocols like AMQP or MQTT, it is still utilized in scenarios where ActiveMQ is heavily integrated.

References: Main site:

NDPI_PROTOCOL_CNP_IP

ISO/IEC 14908-4 specifies how to tunnel LonWorks control network protocol packets over IP networks. It enables encapsulation of the LonTalk protocol within UDP or TCP packets for transmission across IP-based networks.

References: Paid Specs:

NDPI_PROTOCOL_ATG

This protocol is used to transfer data between the various components of an ATG (Automatic Tank Gauge) system.

References: Protocol Specs:

NDPI_PROTOCOL_TRDP

The Train Real Time Data Protocol (TRDP) is a UDP/TCP-based communication protocol designed for IP networks in trains, enabling data exchange between devices such as door controls and air conditioning systems. It is standardized by the IEC under IEC 61375-2-3 and is not related to the Remote Desktop Protocol (RDP).

References: Protocol Specs:

NDPI_PROTOCOL_LUSTRE

Lustre is a high-performance, parallel distributed file system designed for large-scale computing environments. It is widely used in supercomputing and enterprise storage systems due to its ability to handle massive amounts of data and provide high-speed I/O operations across numerous nodes.

References: Main site:

NDPI_PROTOCOL_NORDVPN

NordVPN is a VPN service.

References: Main site:

NDPI_PROTOCOL_SURFSHARK

Surfshark is a brand of VPN services offered by the Netherlands-based company Surfshark B.V.

References: Main site:

NDPI_PROTOCOL_CACTUSVPN

CactusVPN is a VPN service.

References: Main site:

NDPI_PROTOCOL_WINDSCRIBE

Windscribe is a commercial, cross-platform virtual private network (VPN) service provider based in Canada.

References: Main site:

NDPI_PROTOCOL_SONOS

Sonos is a company that provides high-quality, wireless sound systems allowing users to stream audio through a variety of speakers seamlessly throughout their home.

References: Main site:

NDPI_PROTOCOL_DINGTALK

DingTalk is a versatile communication and collaboration platform developed by Alibaba Group.

References: Main site:

NDPI_PROTOCOL_PALTALK

Paltalk is a video chat and instant messaging application that allows users to communicate through video, voice, and text in chat rooms.

References: Main site:

NDPI_PROTOCOL_NAVER

Naver is South Korea’s largest search engine and online platform that offers various services including web search, email, news, shopping, cloud storage, maps, and social media features.

References: Main site:

NDPI_PROTOCOL_SHEIN

Shein is a fast fashion retailer.

References: Main site

NDPI_PROTOCOL_TEMU

Temu is an online marketplace operated by the Chinese e-commerce company PDD Holdings.

References: Main site

NDPI_PROTOCOL_TAOBAO

Taobao is a Chinese online shopping platform.

References: Main site

NDPI_PROTOCOL_MIKROTIK

MikroTik Neighbor Discovery Protocol, is a protocol that allows us to find neighbor routers/switches which are compatible with the following neighboring protocols: MNDP: MikroTik Proprietary. CDP: Cisco Proprietary.

References: Main site

NDPI_PROTOCOL_DICOM

Digital Imaging and Communications in Medicine (DICOM) is a technical standard for the digital storage and transmission of medical images and related information.

References: Wikipwdia

NDPI_PROTOCOL_PARAMOUNTPLUS

Paramount+ (formerly CBS All Access and 10 All Access in Australia until 2021) is an American subscription video on-demand over-the-top streaming service owned by Paramount Global.

References: Main site

NDPI_PROTOCOL_YANDEX_ALICE

Yandex Alice is a voice assistant developed by Yandex, providing answers, performing tasks, and supporting smart home integration, similar to Alexa or Google Assistant.

References: Main site