README.md
1# nDPI Wireshark Plugin
2
3## Introduction
4
5nDPI can provide Wireshark protocol dissection to complement internal protocol decoding. In order to do this, the ndpiReader application is used to provide Wireshark nDPI protocol dissection, and a Wireshark plugin interprets nDPI information.
6
7## Installation
8
9- Copy the ndpiReader application (it is located under nDPI/example) to the Extcap path. See Wireshark -> About menu for identifying the "Personal Extcap path" directory. Under MacOS it is usually /Users/username/.wireshark/extcap
10- Copy the ndpi.lua plugin under ~/.local/lib/wireshark/plugins
11
12## Usage
13
14At Wireshark startup you will find a new extcap interface named "nDPI interface". Select that interface and specify an interface name (for live capture) or a pcap file path (for reading packets from a pcap file). You can choose a nDPI protocol list from the dropdown menu in case you want Wireshark to dissect only protocols of the specified nDPI application protocol.
15
16During capture the ndpiReader plugin will pass Wireshark the nDPI protocol information adding an ethernet packet trailer that contains nDPI information. The lua plugin interprets this information and it displays it in the Wireshark GUI.
17
18## nDPI Packet Filtering
19
20As nDPI is natively integrated into Wireshark, you can filter packets using the usual filtering mechanism. Example use "ndpi.protocol.name==BitTorrent" to filter all BitTorrent traffic.
21
22# tshark Lua Class
23The tshark directory contains a Lua class for processing packets with tshark
24