From: Ed W <lists@wildgooses.com>
To: Andrew Beverley <andy@andybev.com>
Cc: netfilter@vger.kernel.org, ntop-dev@unipi.it
Subject: Re: New/Updated L7 netfilter option - nDPI
Date: Sun, 28 Oct 2012 16:34:46 +0000 [thread overview]
Message-ID: <508D5EA6.8040004@wildgooses.com> (raw)
In-Reply-To: <1351412418.2740.5.camel@andylaptop>
On 28/10/2012 08:20, Andrew Beverley wrote:
> On Wed, 2012-10-24 at 23:53 +0100, Ed W wrote:
>> Hi all. There is an interesting project that was called opendpi
>> (originally by ipoque GmbH) and recently been forked and maintained by
>> the ntop guys under the nDPI label. It offers a new and currently
>> maintained layer 7 (L7) packet identification library.
> That's great news.
>
> I had a play with l7-filter some time ago, which I assume is similar to
> nDPI. How do the 2 projects compare?
Actually, just to augment my last answer.
The biggest thing I pick out as "interesting" in nDPI is that it has a
go at inspecting SSL traffic and odd sub protocols of http (eg Skype,
Windows Update). Given that we are rapidly seeing everything start to
look like an HTTP protocol and then there is SSL on top, it's tricky to
classify stuff like Skype or Facebook traffic. nDPI can do this
(although would benefit from more work in this area). So if your SSL
certificate says mail.google.com, then you can guess the "protocol" in
use...
So if you want a one trick reason to try nDPI, right now you can use it
to block/prioritise/time-restrict Skype... (or Windows Update, etc)
I have a load of users on expensive satellite connections and I need to
help protect them from themselves so being able to prevent Windows
Update from banging 10MB down a $30/MB connection is very helpful. I
also use your squid patches to do sticky per user conntrack labelling of
traffic and hence enabling users to choose a traffic profile (so they
can choose to do the above if they really want to...)
Cheers
Ed W
next prev parent reply other threads:[~2012-10-28 16:34 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-24 22:53 New/Updated L7 netfilter option - nDPI Ed W
2012-10-28 8:20 ` Andrew Beverley
2012-10-28 14:57 ` Eliezer Croitoru
2012-11-01 22:03 ` Andrew Beverley
2012-11-01 22:56 ` Ed W
2012-11-02 12:38 ` Lutfi ODUNCUOGLU
2012-11-02 13:40 ` Ed W
2012-11-06 14:13 ` [Ntop-dev] " Eliezer Croitoru
2012-11-04 15:45 ` Andrew Beverley
2012-10-28 16:34 ` Ed W [this message]
2012-10-28 16:39 ` Eliezer Croitoru
2012-10-28 15:07 ` Eliezer Croitoru
2012-10-28 16:03 ` Ed W
2012-10-28 16:51 ` Eliezer Croitoru
2012-10-28 16:57 ` Ed W
2012-10-28 17:57 ` Eliezer Croitoru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=508D5EA6.8040004@wildgooses.com \
--to=lists@wildgooses.com \
--cc=andy@andybev.com \
--cc=netfilter@vger.kernel.org \
--cc=ntop-dev@unipi.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.