Wireshark- When you need to get down and dirty with individual packets, it's the undisputed champ. But what happens when you're trying to figure out what's actually going down on a high-speed, chaotic network? Not just the wireless activity- getting more involved; seeing what is actually going on, what users on the network are active in/ their activities- what can we see? Scrolling through a billion packets to find out who's hogging all the bandwidth with Netflix isn't just a headache; it's practically impossible.
Wireshark is a microscope, but sometimes you need a satellite view. You want to know the big picture: what apps are running, who the top talkers are, and if something sketchy is happening, without spending hours creating ridiculously complex filters.
The Secret Sauce: ntop's nDPI
Enter the total game-changer: nDPI (ntop Deep Packet Inspection).
Think of standard Wireshark as a mailman who only reads the outside of the envelope (the packet header). It sees the to/from address and the port number, but has no clue what's inside. nDPI is like giving your mailman x-ray vision. It looks inside the packet's data to identify the actual application, regardless of the port. It can spot the difference between Skype, BitTorrent, Office365, and Facebook, even when they're trying to be sneaky.
How It Works: The Extcap + Lua Combo
So, how do we get this magic into Wireshark? The super slick solution presented by Luca Deri from ntop uses a one-two punch that doesn't even require you to recompile Wireshark.
Extcap Plugin: This is an "external capture" module. It grabs the traffic, runs it through the nDPI engine to figure out the real protocol, and then cleverly tags each packet with that info before handing it off to Wireshark.
Lua Script: A simple script tells Wireshark how to read those new tags. This unlocks the ability to use killer new display filters like
ndpi.protocol.name == "Netflix"
. Yeah, it's that easy.
Turning Wireshark into a Monitoring Dashboard
This integration is more than just filters. The Lua script also unlocks a whole suite of new analysis tools that basically turn Wireshark into a legit network monitoring application. You can generate instant reports to get a bird's-eye view of your network traffic.
We're talking about:
Top Applications: Instantly see a breakdown of traffic by app. See how much bandwidth YouTube, Facebook, and Office 365 are really using.
DNS Deep Dive: See the top DNS clients, resolvers, and queries. A great way to spot misconfigurations or sketchy malware behavior.
SSL/TLS Insights: Analyze SSL certificates to see what servers your users are connecting to. You can even spot the weird, algorithmically-generated domains used by Tor or malware.
Passive Recon: Identify device types and operating systems just by watching DHCP and HTTP traffic. Find out how many iPhones, Windows PCs, or even HP printers are on your network.
Latency Checks: Quickly measure network and application latency to find out if it's the network or the server that's slow.
The Bottom Line
By combining Wireshark with the power of nDPI, you get the best of both worlds. You can still dive deep into a single packet when you need to, but you can also zoom out and get that high-level, actionable intelligence to understand your network in seconds. It’s a massive level-up for anyone in network analysis.
In reference to the following PDFs:
- https://archive.fosdem.org/2025/events/attachments/fosdem-2025-5461-passive-network-traffic-fingerprinting/slides/238457/nDPI_FOSD_UXCmtUQ.pdf
- https://sharkfest.wireshark.org/retrospective/sfeu/presentations17eu/19.pdf
Relevant Links
ntop on GitHub:
http://github.com/ntop/ The Wireshark-ntop Project Files:
https://github.com/ntop/wireshark-ntop The nDPI Library:
http://github.com/ntop/nDPI/
with more found..this lil google search here...
Comments
Post a Comment