nDPI Protocols List¶
This page provides the list of the protocols/applications supported by nDPI. For each protocol there is a brief description, some links to further, more detailed information and, optionally, some notes that might be useful when handling such a protocol (from the application/integrator point of view)
Work in progress!
NDPI_PROTOCOL_BFCP¶
BFCP (Binary Floor Control Protocol) is used for controlling and coordinating real-time data sharing and collaboration during video conferencing sessions.
References: RFC:
NDPI_PROTOCOL_IQIYI¶
iQIYI is a Chinese online video platform that offers a wide range of original and licensed content including movies, dramas, variety shows, and anime.
References: Main site:
NDPI_PROTOCOL_ADOBE_CONNECT¶
Adobe Connect is a web conferencing platform that allows users to conduct online meetings, webinars, and virtual classrooms.
References: Main site:
NDPI_PROTOCOL_IRC¶
IRC (Internet Relay Chat) is a text-based chat system for instant messaging.
References: Wikipiedia: and Some statistics: <https://netsplit.de/networks/top10.php>
NDPI_PROTOCOL_TFTP¶
TFTP is a very simple protocol used to transfer files. It is from this that its name comes, Trivial File Transfer Protocol or TFTP.
NDPI_PROTOCOL_MS_RPCH¶
A Remote Procedure Call protocol over HTTP from Microsoft.
References: Protocol Specs:
NDPI_PROTOCOL_EGD¶
Ethernet Global Data (EGD) is a communication protocol developed by GE Fanuc Automation for real-time data exchange between automation devices and control systems using standard Ethernet technology. It is widely adopted in industrial environments for its simplicity and reliability in data communication.
References: Wikipedia
Notes:
- This dissector only works for data packets, not configuration commands.
- IPv6 is not supported
NDPI_PROTOCOL_RTMP¶
Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet.
References: Wikipedia
NDPI_PROTOCOL_COD_MOBILE¶
Call of Duty: Mobile is a free-to-play shooter game for iOS and Android devices. It has amassed over 650 million downloads worldwide, making it one of the most popular mobile games.
References: Main site:
NDPI_PROTOCOL_GOOGLE_MEET¶
Google Meet is a video conferencing service from Google.
References: Main site:
NDPI_PROTOCOL_VALVE_SDR¶
Steam Datagram Relay (SDR) is Valve’s virtual private gaming network. Used in all modern games from Valve, but can also be used by developers via the Steamworks SDK for their games.
References: Main site:
NDPI_PROTOCOL_SRTP¶
The Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication, integrity, and replay attack protection to the RTP data.
References: RFC3711
Notes:
- You can think of SRTP simply as the “encrypted” version of RTP, something like HTTPS vs HTTP;
- It is not usually possible to tell RTP from SRTP. nDPI generally uses the former and it uses the latter only when it is really sure that the media stream has been encrypted.
NDPI_PROTOCOL_EPICGAMES¶
Epic Games is a video game company developing the Unreal Engine and some successful games as Fortnite and Gears of War.
NDPI_PROTOCOL_GEFORCENOW¶
GeForce Now is the brand used by Nvidia for its cloud gaming service.
References: Main site
NDPI_PROTOCOL_BITCOIN¶
Bitcoin is one of the most common crypto currencies.
References: Main site
Notes:
- Not each crypto exchange is a mining, it could be a normal transaction, sending or receving.
- Bitcoin network protocol covers the broader set of rules that govern how all nodes in the network communicate and sync with each others blocks and transactions.
- On the other hand mining protocols are more specific and deal directly with how miners interact with the network and participate in the mining process.
NDPI_PROTOCOL_PROTONVPN¶
Proton VPN is a VPN service operated by the Swiss company Proton AG, the company behind the email service Proton Mail
References: Main site
NDPI_PROTOCOL_THRIFT¶
Apache Thrift is a generic data interchange framework that supports a bunch of different languages and platforms.
References: Official site and Github
NDPI_PROTOCOL_ROBLOX¶
Roblox is an online game platform and game creation system.
References: Main site
Notes:
- Since Roblox games use a custom version of the RakNet protocol, some Roblox flows might be classified as RakNet.
NDPI_PROTOCOL_SERVICE_LOCATION¶
The Service Location Protocol is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration.
NDPI_PROTOCOL_MULLVAD¶
Mullvad is a VPN service operated by Mullvad VPN AB, based in Sweden
References: Main site
NDPI_PROTOCOL_HTTP2¶
HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web.
References: RFC
Notes:
- HTTP/2 is almost always encrypted, i.e. transported over TLS.
NDPI_PROTOCOL_HAPROXY¶
HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers.
References: Main site:
NDPI_PROTOCOL_RMCP¶
The Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware (BIOS or UEFI) and operating system.
References: Protocol Specs:
NDPI_PROTOCOL_CAN¶
Controller Area Network (CAN) is used extensively in automotive applications, with in excess of 400 million CAN enabled microcontrollers manufactured each year.
References: Protocol Specs:
NDPI_PROTOCOL_PROTOBUF¶
Protocol Buffers (Protobuf) is a free and open-source cross-platform data format used to serialize structured data.
References: Encoding:
NDPI_PROTOCOL_ETHEREUM¶
Ethereum is a decentralized, open-source blockchain with smart contract functionality.
References: Main site
Notes:
- same as Bitcoin, not each crypto exchange is a mining, it could be a normal transaction, sending or receving or even blockchain exploration.
NDPI_PROTOCOL_PTPV2¶
IEEE 1588-2008 Precision Time Protocol (PTP) Version 2.
References: Protocol Specs:
NDPI_PROTOCOL_S7COMM_PLUS¶
A proprietary protocol from Siemens used for data exchange between PLCs and access PLC data via SCADA systems. Completely different from classic S7Comm, but also uses TPKT/COTP as a transport.
References: Unofficial description:
NDPI_PROTOCOL_FINS¶
Factory Interface Network Service (FINS) is a network protocol used by Omron PLCs.
References: Protocol Specs:
NDPI_PROTOCOL_ETHERSIO¶
Ether-S-I/O is a proprietary protocol used by Saia-Burgess’s PLCs.
References: Wireshark wiki:
NDPI_PROTOCOL_UMAS¶
UMAS is a proprietary Schneider Electric protocol based on Modbus. It’s used in Modicon M580 and Modicon M340 CPU-based PLCs.
References: Unofficial article:
NDPI_PROTOCOL_BECKHOFF_ADS¶
Automation Device Specification is the protocol used for interfacing with Beckhoff PLCs via TwinCAT.
References: Protocol Specs:
NDPI_PROTOCOL_ISO9506_1_MMS¶
The international standard MMS (Manufacturing Message Specification) is an OSI application layer messaging protocol origionally designed for the remote control and monitoring of devices such as Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), Numerical Controllers (NC), or Robot Controllers (RC).
References: Paid Specs:
NDPI_PROTOCOL_IEEE_C37118¶
IEEE Standard for Synchrophasor Data Transfer for Power Systems
References: Paid Specs:
NDPI_PROTOCOL_ETHERSBUS¶
Ether-S-Bus is a proprietary protocol used for the communication with and between PLCs manufactured by Saia-Burgess Controls Ltd.
References: Wireshark wiki:
NDPI_PROTOCOL_MONERO¶
Monero is a private and decentralized cryptocurrency with focus on confidentiality and security.
NDPI_PROTOCOL_DCERPC¶
DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.
References: Wireshark wiki:
NDPI_PROTOCOL_PROFINET_IO¶
PROFINET/IO is a field bus protocol based on connectionless DCE/RPC.
References: Protocol Specs:
NDPI_PROTOCOL_HISLIP¶
High-Speed LAN Instrument Protocol (HiSLIP) is a protocol for remote instrument control of LAN-based test and measurement instruments.
References: Protocol Specs:
NDPI_PROTOCOL_OPENFLOW¶
OpenFlow protocol is a network protocol closely associated with Software-Defined Networking (SDN).
References: Protocol Specs:
NDPI_PROTOCOL_JSON_RPC¶
JSON-RPC is a remote procedure call protocol encoded in JSON.
References: Protocol Specs:
NDPI_PROTOCOL_WEBDAV¶
WebDAV is a set of extensions to the HTTP protocol that allows WebDAV clients to collaboratively edit and manage files on remote Web servers.
References: RFC4918:
Notes:
- WebDAV is almost always encrypted, i.e. transported over TLS.
NDPI_PROTOCOL_APACHE_KAFKA¶
Apache Kafka is a distributed event store and stream-processing platform.
References: Official site and Github
NDPI_PROTOCOL_NOMACHINE¶
NoMachine is a popular proprietary remote desktop software.
References: Main site
NDPI_PROTOCOL_IEC62056¶
IEC 62056-4-7 DLMS/COSEM is a transport layer for IP networks.
References: Paid Specs:
Notes:
- Wireshark is not able to recognize this protocol. Some old plugins/code (with some documentation) are available here <https://github.com/bearxiong99/wireshark-dlms> and here <https://github.com/matousp/dlms-analysis/tree/master>.
NDPI_PROTOCOL_HL7¶
HL7 is a range of global standards for the transfer of clinical and administrative health data between applications.
References: Main site
NDPI_PROTOCOL_GOOGLE_CHAT¶
Google Chat is an instant messaging service from Google, which replaced Hangouts.
References: Main site
NDPI_PROTOCOL_ROUGHTIME¶
A protocol that aims to achieve rough time synchronization while detecting servers that provide inaccurate time and providing cryptographic proof of their malfeasance.
References: IETF Draft
NDPI_PROTOCOL_PIA¶
Private Internet Access (PIA) is a popular VPN service from Kape Technologies.
References: Main site
NDPI_PROTOCOL_KCP¶
KCP - A Fast and Reliable ARQ Protocol. It provides TCP-like stream support with low latency at the cost of bandwidth usage - used by lot’s of Open Source / Third Party applications.
References: Protocol Specs:
NDPI_PROTOCOL_DOTA2¶
Dota 2 is an extremely popular multiplayer MOBA game from Valve.
References: Main site
NDPI_PROTOCOL_MUMBLE¶
Mumble is a free, open source, low latency, high quality voice chat application.
References: Main site
NDPI_PROTOCOL_YOJIMBO¶
Yojimbo (netcode) is a secure connection-based client/server protocol built on top of UDP.
References: Protocol Specs:
NDPI_PROTOCOL_ELECTRONICARTS¶
Electronic Arts is a leading publisher of games on Console, PC and Mobile.
References: Main site
Notes:
- Almost all of that traffic is related to their EA Origin game store.
NDPI_PROTOCOL_STOMP¶
STOMP is a simple interoperable protocol designed for asynchronous message passing between clients via mediating servers. Supported in ActiveMQ and RabbitMQ.
References: Protocol Specs:
NDPI_PROTOCOL_RADMIN¶
Radmin is remote access software for the Microsoft Windows platform.
References: Main site
NDPI_PROTOCOL_RAFT¶
Raft is a consensus algorithm and protocol for managing a replicated log.
References: C implementation and Paper
NDPI_PROTOCOL_GEARMAN¶
Gearman is a network-based job-queuing system that was initially developed by Danga Interactive in order to process large volumes of jobs.
References: Main site
NDPI_PROTOCOL_TENCENTGAMES¶
A protocol used by various games from Tencent (mostly mobile games).
References: Main site
NDPI_PROTOCOL_GAIJIN¶
Protocols used in various games from Gaijin Entertainment.
References: Main site
NDPI_PROTOCOL_C1222¶
ANSI C12.22 (IEEE Std 1703) describe a protocol for transporting ANSI C12.19 table data over networks. It’s mostly used to communicate with electric meters.
References: Paid specs
NDPI_PROTOCOL_DLEP¶
The Dynamic Link ExchangeProtocol (DLEP) is a radio aware routing (RAR) protocol.
References: RFC
NDPI_PROTOCOL_BFD¶
Bidirectional Forwarding Detection is a network protocol that is used to detect faults between two routers or switches.
References: RFC
NDPI_PROTOCOL_GOOGLE_CALL¶
Audio/video calls made by (any) Google applications (i.e Google Meet).
References: Main site:
Notes:
- nDPI usually uses different protocol ids for the generic application traffic and for its “realtime” traffic (examples: NDPI_PROTOCOL_MEET/NDPI_PROTOCOL_GOOGLE_CALL, NDPI_PROTOCOL_WHATSAPP/NDPI_PROTOCOL_WHATSAPP_CALL, …)
NDPI_PROTOCOL_PFCP¶
PFCP is a protocol used for communicating between control plane (CP) and user plane (UP) functions in 4G and 5G networks.
References: Protocol Specs:
NDPI_PROTOCOL_LOLWILDRIFT¶
League of Legends: Wild Rift is a mobile MOBA game.
References: Main site
NDPI_PROTOCOL_TESO¶
The Elder Scrolls Online is a MMORPG set in the fantasy world of Tamriel.
References: Main site
NDPI_PROTOCOL_LDP¶
The Label Distribution Protocol (LDP) is a routing protocol used to establish and maintain label-switched paths in a Multiprotocol Label Switching (MPLS) network.
References: RFC
NDPI_PROTOCOL_KNXNET_IP¶
KNXnet/IP is a building automation protocol that enables the exchange of data and control information over IP networks, extending the KNX standard for home and building automation.
References: Paid Specs:
NDPI_PROTOCOL_BLUESKY¶
Bluesky, also known as Bluesky Social, is a decentralized microblogging social platform.
References: Main site:
NDPI_PROTOCOL_MASTODON¶
Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter.
References: Main site:
NDPI_PROTOCOL_THREADS¶
Threads is an online social media and social networking service operated by Meta Platforms.
References: Main site:
NDPI_PROTOCOL_ZUG¶
The ZUG protocol is part of the Casper 2.0 consensus model.
NDPI_PROTOCOL_JRMI¶
The JRMI protocol is the Java Remote Method Invocation protocol.
References: Oracle site
NDPI_PROTOCOL_RIPE_ATLAS¶
The RIPE Atlas probe protocol is used for the world’s largest active Internet measurement network.
References: Main Site and Documentation
NDPI_PROTOCOL_HLS¶
HTTP Live Streaming (HLS) is an adaptive bitrate streaming communications protocol developed by Apple Inc. It allows for the delivery of media content over the internet by breaking the stream into small segments and adjusting the quality of the stream in real time based on the viewer’s network conditions.
References: RFC
NDPI_PROTOCOL_CLICKHOUSE¶
ClickHouse is an open-source columnar database management system designed for online analytical processing (OLAP) of queries.
References: Main site:
NDPI_PROTOCOL_NANO¶
Nano (XNO) is a decentralized, open-source cryptocurrency that focuses on delivering fast, fee-less, and eco-friendly transactions through its unique block-lattice structure.
References: Main site:
NDPI_PROTOCOL_OPENWIRE¶
OpenWire is a wire protocol used by Apache ActiveMQ for communication between clients and brokers, providing an efficient and flexible messaging framework. While it’s not the most popular choice compared to other protocols like AMQP or MQTT, it is still utilized in scenarios where ActiveMQ is heavily integrated.
References: Main site:
NDPI_PROTOCOL_CNP_IP¶
ISO/IEC 14908-4 specifies how to tunnel LonWorks control network protocol packets over IP networks. It enables encapsulation of the LonTalk protocol within UDP or TCP packets for transmission across IP-based networks.
References: Paid Specs:
NDPI_PROTOCOL_ATG¶
This protocol is used to transfer data between the various components of an ATG (Automatic Tank Gauge) system.
References: Protocol Specs:
NDPI_PROTOCOL_TRDP¶
The Train Real Time Data Protocol (TRDP) is a UDP/TCP-based communication protocol designed for IP networks in trains, enabling data exchange between devices such as door controls and air conditioning systems. It is standardized by the IEC under IEC 61375-2-3 and is not related to the Remote Desktop Protocol (RDP).
References: Protocol Specs:
NDPI_PROTOCOL_LUSTRE¶
Lustre is a high-performance, parallel distributed file system designed for large-scale computing environments. It is widely used in supercomputing and enterprise storage systems due to its ability to handle massive amounts of data and provide high-speed I/O operations across numerous nodes.
References: Main site:
NDPI_PROTOCOL_SURFSHARK¶
Surfshark is a brand of VPN services offered by the Netherlands-based company Surfshark B.V.
References: Main site:
NDPI_PROTOCOL_WINDSCRIBE¶
Windscribe is a commercial, cross-platform virtual private network (VPN) service provider based in Canada.
References: Main site:
NDPI_PROTOCOL_SONOS¶
Sonos is a company that provides high-quality, wireless sound systems allowing users to stream audio through a variety of speakers seamlessly throughout their home.
References: Main site:
NDPI_PROTOCOL_DINGTALK¶
DingTalk is a versatile communication and collaboration platform developed by Alibaba Group.
References: Main site:
NDPI_PROTOCOL_PALTALK¶
Paltalk is a video chat and instant messaging application that allows users to communicate through video, voice, and text in chat rooms.
References: Main site:
NDPI_PROTOCOL_TEMU¶
Temu is an online marketplace operated by the Chinese e-commerce company PDD Holdings.
References: Main site
NDPI_PROTOCOL_MIKROTIK¶
MikroTik Neighbor Discovery Protocol, is a protocol that allows us to find neighbor routers/switches which are compatible with the following neighboring protocols: MNDP: MikroTik Proprietary. CDP: Cisco Proprietary.
References: Main site
NDPI_PROTOCOL_DICOM¶
Digital Imaging and Communications in Medicine (DICOM) is a technical standard for the digital storage and transmission of medical images and related information.
References: Wikipwdia