Libprotoident is a library that performs application layer protocol identification for flows. Unlike many techniques that require capturing the entire packet payload, only the first four bytes of payload sent in each direction, the size of the first payload-bearing packet in each direction and the TCP or UDP port numbers for the flow are used by libprotoident. Libprotoident features a very simple API that is easy to use, enabling developers to quickly write code that can make use of the protocol identification rules present in the library without needing to know anything about the applications they are trying to identify.
Libprotoident supports over 300 different application protocols and this number will continue to grow over the course of future releases!
The latest version is 2.0.8 - Released on 2016/04/29
We've now set up a bug tracker and wiki for libprotoident.
Libprotoident is now available on GitHub. If you extend libprotoident or add support for new protocols and would like your additions to make it into the next release, please don't hesitate to send us a pull request.
On Mac OS X, libprotoident may also be installed using Homebrew.
All releases of libprotoident are licensed under the GPL v2.
Important note for developers: The libprotoident API has changed since version 1.0.0. The changes are described in the Developer Documentation page in the libprotoident wiki and the included tools have been updated to use the changed API. Please be sure to update any programs you have written based on libprotoident accordingly (the changes should be minor). If you get stuck, the source code for the tools may help clarify the differences.
Libprotoident requires the following libraries:
Libprotoident has been developed and tested on both Linux and MacOS X operating systems. Libprotoident will compile and run on a PowerPC system but there may be problems with some of the rules due to byte-ordering issues. If this occurs, please file a bug in the libprotoident bug tracker.
Basic usage instructions are included in the README that accompanies the source code. Additional documentation can be found within the source code itself.
The library also comes with some basic tools that demonstrate the capabilities of the library without the need for the user to develop code. The lpi_protoident tool reports the protocol for every flow observed on the provided libtrace input, for instance.
We are always interested in hearing feedback about software projects such as libprotoident. If you have any requests or comments, or wish to report a bug, please email email@example.com or file a ticket in our bug tracker.